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Preface 



The 1999 Annual Conference of the European Association for Computer Science 
Logic, CSL’99, was held in Madrid, Spain, on September 20-25, 1999. CSL’99 
was the 13th in a series of annual meetings, originally intended as Internatio- 
nal Workshops on Computer Science Logic, and the 8th to be held as the An- 
nual Conference of the EACSL. The conference was organized by the Computer 
Science Departments (DSIP and DACYA) at Universidad Complutense in Mad- 
rid (UCM). 

The CSL’99 program committee selected 34 of 91 submitted papers for pre- 
sentation at the conference and publication in this proceedings volume. Each 
submitted paper was refereed by at least two, and in almost all cases, three 
different referees. The second refereeing round, previously required before a pa- 
per was accepted for publication in the proceedings, was dropped following a 
decision taken by the EACSL membership meeting held during CSL’98 (Brno, 
Czech Republic, August 25, 1998). 

In addition to the contributed papers, the scientific program of CSL’99 included 
five invited talks (J.L. Balcazar, J. Esparza, M. Grohe, V. Vianu and P.D. Mos- 
ses) and two tutorials on “Interactive Theorem Proving Using Type Theory” by 
D.J. Howe and “Term Rewriting” by A. Middeldorp. Pour of the invited speakers 
have provided papers that have been included in this volume. Por the remaining 
invited speaker, as well as the tutorialists, one-page abstracts have been inclu- 
ded. The contents of the invited and contributed papers fall mainly under the 
following topics: concurrency, descriptive complexity, lambda calculus, linear lo- 
gic, logic programming, modal and temporal logic, mu calculus, specification, 
type theory and verification. 

We are most grateful to the members of the program committee and all the 
referees for their work. Einally, we are indebted to all the members of the local 
organizing committee for their support, which included maintenance of Web 
pages and assistance to the editing work needed to prepare this proceedings 
volume according to Springer’s instructions. 
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Topological Queries in Spatial Databases 



Victor Vianu 

Univ. of California at San Diego, CSE 0114, La Jolla, CA 92093-0114 



Abstract. Handling spatial information is required by many database 
applications, and each poses different requirements on query languages. 
In many cases the precise size of the regions is important, while in other 
applications we may only be interested in the TOPOLOGICAL relations- 
hips between regions — intuitively, those that pertain to adjacency and 
connectivity properties of the regions, and are therefore invariant under 
homeomorphisms. Such differences in scope and emphasis are crucial, as 
they affect the data model, the query language, and performance. This 
talk focuses on queries targeted towards topological information for two- 
dimensional spatial databases, where regions are specihed by polynomial 
inequalities with integer coefficients. We focus on two main aspects: (i) 
languages for expressing topological queries, and (ii) the representation 
of topological information. In regard to (i), we study several languages 
geared towards topological queries, building upon well-known topologi- 
cal relationships between pairs of planar regions proposed by Egenhofer. 
In regard to (ii), we show that the topological information in a spatial 
database can be precisely summarized by a hnite relational database 
which can be viewed as a topological annotation to the raw spatial data. 
All topological queries can be answered using this annotation, called to- 
pological invariant. This yields a potentially more economical evaluation 
strategy for such queries, since the topological invariant is generally much 
smaller than the raw data. We examine in detail the problem of transla- 
ting topological queries against the spatial database into queries against 
the topological invariant. The languages considered are hrst-order on the 
spatial database side, and hxpoint and hrst-order on the topological in- 
variant side. In particular, it is shown that hxpoint expresses precisely 
the PTIME queries on topological invariants. This suggests that topolo- 
gical invariants are particularly well-behaved with respect to descriptive 
complexity. (Based on joint work with C.H.Papadimitriou, D. Suciu and 
L. Segouhn.) 
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The Consistency Dimension, Compactness, and 

Query Learning 



Jose L. Balcazar^ 

^ Departament LSI, Universitat Politecnica de Catalunya, Campus Nord, 08034 

Barcelona, Spain 

Abstract. The consistency dimension, in several variants, is a recently 
introduced parameter useful for the study of polynomial query learning 
models. It characterizes those representation classes that are learnable 
in the corresponding models. By selecting an abstract enough concept 
of representation class, we formalize the intuitions that these dimensions 
relate to compactness issues, both in Logic and in a specihc topological 
space. Thus, we are lead to the introduction of Quantitative Compactness 
notions, which simultaneously have a clear topological meaning and still 
characterize polynomial query learnable representation classes of boolean 
functions. They might have relevance elsewhere too. Their study is still 
ongoing, so that this paper is in a sense visionary, and might be flawed. 

Compactness is to topology as Gniteness is to 
set theory. 

H. Lenstra (cited in [7]) 

Polynomial versus exponential growth corre- 
sponds in some sense to countability versus un- 
countability. 

M. Sipser [8] 



1 Introduction 

This somewhat nonstandard paper discusses, mostly at an intuitive level, recent 
and ongoing work of the author and colleagues in a rather unclassificable research 
area. 

The basic connections between Logic and Topology are long well understood, 
to the extent that the central Compactness Theorems in Logic are widely known 
through their natural topological name. By restricting ourselves to the very easy 
propositional case, we want to trascend here these currently known connections 
by encompassing other mathematically formalized areas of combinatorial nature. 

The reason of being of this text is as follows. Recently, an intuition born from 
considerations similar to compactness in logic led to some recent advances in 
query learning [1]. However, eventually, these intuitions became more a hindrance 
than a help, and were dropped from that paper. They became labeled as “to be 
discussed elsewhere”; namely, here. 

J. Flum and M. Rodriguez-Artalejo (Eds.): CSL’99, LNCS 1683, pp. 2-13, 1999. 

© Springer-Verlag Berlin Heidelberg 1999 
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1.1 Topology Versus Computation 

The long history of implications of logical concepts on computation-theoretic is- 
sues suggests that compactness, having a clear logical meaning, might be relevant 
too for other applications in computation theory. However, whereas compactness 
is a qualitative, yes/no property, many mathematical issues of computational 
flavor are inherently quantitative; thus, interesting intuitions might be gleaned 
from topological concepts such as compactness, but quantitative compactness 
notions of some sort seem likely to be necessary. 

The main contribution of this paper is the proposal of a formalization of a 
quantitative notion of compactness. Indeed, comparing different compact sub- 
spaces of a fixed topological space we might as well find that some of them are 
“more compact” than others. 

Thus, specifically, we propose first a quantitative notion of compactness, the 
compactness rate, and explain that, on a specific, pretty natural topology S, it 
has a close relationship with the learnability of representation classes of boolean 
functions through equivalence queries. Then we also discuss some slightly un- 
convincing aspects of our proposal, we suggest a second one, and explain that, 
in the same space E, this second approach has a similarly close relationship with 
learnability from membership queries. 

In a final section we hint at wide areas of open questions whose answers, we 
feel, might provide illustrative intuitions on the combinatorial material handled 
by these, and other, popular computational learning models. 



1.2 Disclaimer 

As ongoing work, the materials included here at the time of going to press have 
undergone no peer review process at all, and even some parts of the less detailed 
discussion have not been duly formalized yet; thus this text may well be full of 
mistakes. The home page of the author on the web (www. Isi .upc .es/~balqui) 
will be in the near future (read a few months) a reasonable source for the less 
unfaithful version of the results available at each moment (if any). 



2 Preliminaries 

We denote the set of the natural numbers as IN, or as u> to emphasize its use as an 
ordinal. We consider binary words of a length n, when necessary, as indices into 
an infinite binary word such as a characteristic function of a formal language; 
or, alternatively, as values for n boolean variables, or attributes, and thus inputs 
to a boolean n-ary function. 
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2.1 Topology 

We recall briefly some topological concepts. Topological spaces consist of a do- 
main and a family of subsets of this domain, closed under arbitrary unions and 
finite intersections. The sets in the family are called open sets; the empty subset 
and the whole space must always be open sets. Frequently only an open basis is 
given, and open sets are those obtained from the given basis through these op- 
erations. The complements of open sets are called closed sets. The topology can 
be given as well as the family of closed sets, which should be closed under finite 
unions and arbitrary intersections, or by a closed basis. Subspaces are defined 
by subsets of the domain, restricting all open or closed sets to their traces on 
the subspace, i.e. to their intersections with the subset. 

Compact (sub)spaces play an important role since they guarantee certain 
convergence facts for successions and, more generally, for filters. A topological 
space is compact if the following axiom holds in it: every family of open sets 
that covers the whole space, in the sense that their union coincides with it, has a 
finite subfamily that already covers the whole space. This is known as the Borel- 
Lebesgue axiom (see, however, the remarks about the work of Cousin in [7]), 
and can be stated equivalently as follows: every family of closed sets with empty 
intersection has a finite subfamily that already has empty intersection. Two 
other characterizations of compactness are: every filter has an adherence value, 
and every ultrafilter converges. (Here we are glossing over some separateness 
conditions that turn out to be irrelevant for our purposes.) It is not difficult to 
see that we can restrict our attention to families of sets that are finite unions of 
basic ciosed sets. 

The discrete topology on any given space is rather trivial: every subset is 
accepted as an open set. We will obtain from it more sophisticate topologies 
through the product construction. 

A product space is a topological space X = endowed with the 

standard product topology of the factor topological spaces Xi; that is, open sets 
of X are products of finitely many proper open sets from the factors, all the other 
factors being equal to the whole factor spaces A*; or arbitrary unions thereof. 
Of course, arbitrary index sets can be used instead of u> to construct product 
spaces; but we will limit ourselves to product spaces consisting of u> components. 

Actually, in such a product topology, we can (and will) consider a closed set 
basic if only one projection on a factor space Xi is a closed set different from 
the whole factor Xi, and it is a basic closed set there too. The corresponding 
dimension will be called the nontrivial axis of the basic set. Clearly, all closed 
sets are intersections of basic sets. 

The following three facts will be important. First, a discrete topological space 
is compact iff it is finite. Second, a product space is compact iff all its factors 
are; this is Tychonoff’s theorem. Third, in a compact space, the compact sub- 
spaces are exactly the closed sets. See [7] for an extremely instructive historical 
perspective of the original development of the notion of compactness, and for 
additional references (beyond your own favorites) on the technicalities of the 
topological materials. 
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From now on, we will focus on countably compact spaces, where the condition 
of empty intersection of some finite subfamily only applies to countable families 
of closed sets; so that lo suffices as index set. I believe that this restriction is not 
really relevant; it is not, certainly, for the specific space S on which we focus 
later on. 

2.2 Logic 

We restrict ourselves to propositional logic in this text. 

The language of propositional logic includes propositional variables, which 
we will consider as atomic; this means that their meanings, or truth values, can 
vary among exactly the two boolean constants Ihue and False. They get tied 
together with connectives such as conjunction, disjunction, and negation, making 
up propositional formulas. We assume a fixed infinite supply of propositional 
variables df = {xi | i G IN}. 

Models in propositional logic consist simply on a truth value interpretation 
for each propositional variable; through the standard rules, this assigns a truth 
value to each formula. A model satisfies a set of formulas if all of them get value 
Ihue under that model. 

Trusting that the reader will not get confused, we will use the symbols {0, 1} 
to abbreviate the truth values False and True respectively. Then we consider the 
finite topological space {0,1} endowed with the discrete topology; by the facts 
enumerated above, it is obviously compact. 

Then the space of models is formed by infinite sequences of boolean values, 
with component i being the truth value of the propositional variable and, as 
such, it can be endowed with the corresponding product topology: n.ejo,!}, 
the product space of oj copies of the binary discrete space. By Tychonoff’s the- 
orem, it is compact. 

In the corresponding product topology, the basic open sets correspond to 
finitely many restrictions of components to a single bit, leaving all the others 
free; that is, each basic open set is the set of models of a term. We have actually 
taken the slightly more restricted basis of open sets in which a single component 
is restricted to a single bit, i.e. models for literals. Automatically these are as 
well the basic closed sets. 

It is not difficult to see that now the clopen sets (sets that are simultaneously 
open and closed) are exactly finite unions of finite intersections of these, i.e., the 
set of models of a DNF-like formula (a boolean polynomial); or, equivalently, 
finite intersections of finite unions of basic open sets, i.e., the set of models of a 
CNF-like formula. 

Similarly, closed sets are arbitrary intersections of these, thus sets of mod- 
els of a possibly infinite set of boolean formulas; and, now, families of clopen 
sets having empty intersection correspond to unsatisfiable sets of formulas, and 
therefore the statement that the space is compact literally corresponds to the 
fact that, if every finite subset of a set of formulas is satisfiable, then the whole 
set is satisfiable. Hence the name Compactness Theorem. 
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2.3 Computational Learning 

Some areas of Computational Learning Theory study models for the learnability 
properties of boolean functions. Each model provides a framework to present 
in unified manners several learning algorithms, and, more importantly, allows 
us to prove negative results by which no algorithm can exist to learn some 
representation of knowledge within a given learning model. See [6]. 

Many models take into account resource limitations, such as time or space. 
We will be working with polynomial query models, where computation resources 
are not limited but the amount of information provided about the concept to be 
learned is. 

We focus on learning representations of boolean functions, as an extremely 
basic form of knowledge. A boolean function of arity n is a function from 
{0,1}” I— ^ {0,1}; identifying 2 = {0,1} as usual and identifying 2"^ with the 
power set operator P(A) also as usual, and, for finite A, with the set of binary 
characteristic sequences of subsets of A, we see that the set of boolean functions 
of arity n is 2^ ; each function being defined by a member of the set 2” = {0, 1}”, 
that is, a sequence of 2” bits (its truth table). 

There is a large choice of means of representing boolean functions: boolean 
circuits, boolean formulas, and their CNF-like and DNF-like depth-two sub- 
classes are fundamental ones, but decision trees, branching programs, OBDDs, 
and even formal language models such as finite automata are popular for diverse 
applications. Some of them are able to represent functions / from a variable 
number of binary arguments; then we will mostly consider their restrictions to 
a fixed number of arguments, n, and we denote such restrictions as /|„. 

Generally, representation classes are frequently defined as tuples {R,p,\.\) 
where R C {0, 1}* is a formal language whose strings are considered as syntac- 
tically correct descriptions of some computing device; p : R 1}*) i® the 

semantic function that indicates what is the boolean function or formal language 
p[c) described by the device c £ R; and |.| : i? i— ^ IN measures the size |c| of 
each description c e R. Frequently |c| is simply its length as a string. Sometimes 
even the syntactic and semantic alphabets are allowed to vary and get therefore 
included in the tuples forming the representation classes. 

“Honesty” conditions are usually imposed to ensure that it is reasonably 
feasible to decide whether a given string belongs to the concept described by a 
given description, as well as computing the size of a description. 

In essence, in our polyquery learning models, a hidden concept (the boolean 
function or formal language p{c)) has to be identified, by finding, through some 
sort of interaction, an alternative, not too large, representation c' for the con- 
cept: p{c') = p{c). We will be interested in the interaction, or quantity of infor- 
mation available, as a computational resource; thus, we will mostly ignore up 
to polynomial space computations. It turns out that this implies that most of 
the information provided by the representation class is unimportant. The only 
central issue is that a representation class provides a “size” for each boolean 
function / of any fixed arity n: the size is |c|, where c is a smallest (with respect 
to |.|) description of /: that is, p[c) behaves as / on {0, 1}”, or p(c)|„ = /|„. 
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Thus, for us, a representation class will be simply a size function R = 
for boolean functions: : 2^" i-t IN. For / € 2^” , we frequently 

abbreviate Rn{f) as |/|_r, the size of / as measured by the representation class 
R. We can allow / to reach some oo ^ IN value in case we want to deal with rep- 
resentations that cannot describe all boolean functions; this issue is not relevant 
to our work here, and simply one has to adjust the universe of allowed concepts 
accordingly. 

In the equivalence queries model, a learner interacts with a teacher as follows: 
in each round, the learner queries about a representation from the class (in 
our case, this only means that the learner will pay the size of its hypothesis, 
measured according to the size function defining the class). The teacher either 
answers YES, if the hypothesis represents exactly the target concept, or gives 
a counterexample otherwise. We assume that all our learning algorithms are 
provided with the number n of attributes of the function to be learned and with 
a bound m on the size of the target function under the chosen representation. 

Polynomial query means that the number of queries and the size of each 
query have to be polynomially bounded in n and m; we ignore how difficult is it, 
computationally, to find the representation the learner wants to query; however, 
it can be seen that PSPACE suffices [5]. In the membership query model, the 
learner simply asks the teacher to evaluate the target concept on a given binary 
word, and gets a binary answer. The combined model allows both sorts of queries. 

We will impose a final technical restriction, which makes our results weaker 
than they seem. We assume that our learning algorithms do not query equiva- 
lence queries larger than the bound m provided. We call these algorithms mean. 
This is a strong restriction since some learning algorithms do not obey it, mostly 
for other models such as equivalence and membership queries; but many of the 
most relevant learning algorithms with only equivalence queries do actually obey 
this restriction. 

Note finally that this restriction is not so for membership queries, where the 
only role the representation class plays is to provide the initial bound on the size 
of the concept. 

3 Compactness: A Quantitative Approach 

Eor most of the paper, we assume that the topological space X under consider- 
ation is a product space of oj spaces, X = Ylieuj^i’ assume as fixed a 

family of basic closed sets on each factor Xi. Then we can select, and fix from 
now on, our family of basic closed sets as indicated above: just one component is 
allowed to differ from its corresponding whole factor, and must be a basic closed 
set in it. 

We will be interested in the long-run behavior of points in A. To help concen- 
trate on it, the following technical notion will be useful. Eor a set A, its spread 
up to dimension n (or to axis n) is the set formed by all points in X that 
coincide with a point in A in all components beyond n, including n itself. Thus 
AW = A. 
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Proposition. A is compact iff all its spreads are compact. 

The purpose of that definition is to make up some sort of parameter to serve 
as a scale against which we can quantify the compactness of A. 

Specifically: \et A Q X be compact. We define its compactness rate dA{n) 
as follows. Let T = {Fi | i € cj} be an infinite family of basic sets, such that 
A n Pliew ~ then, by the compactness of the spreads, for each n € IN, 

there is a finite subfamily of tF, {i'q, . . . tF^^} C JF of size say m, such that 
f~| PlJLi = 0- Define dA{n) to be the smallest such m fulfilling this 
condition for all T (if it exists). Then we say that the compactness rate of A 
is the function : IN i— ^ IN. Surely it could be undefined, in case no such m 
exists. 

An alternative definition proposal will be discussed in a later section. 



4 Learnability from Equivalence Queries 

Now we select a pretty specific product topological space, S = Hiew where 
each component is Xi = 2^* = P(2*) = P({0, 1}’'). As described above, we can 
see each point of Aj as a set of strings of i bits each; alternatively, as a boolean 
function on i boolean variables; or, by looking at its truth table, as a single string 
of length 2*. 

Thus, this product space E = Higw ^ space of boolean 

functions, where each point defines one boolean function for each arity; or as 
a space of formal languages, each point being the characteristic function of a 
language L C {0,1}*, where the i-th component provides the values of the 
characteristic function of L restricted to {0, 1}*. 

Each Xi is endowed here with the discrete topology, and is finite, so that 
E is compact. The basic closed sets we select in each component are those of 
the form defined as follows: for w G {0,1}*, the points of Aj in F^^ i, are 
those where the bit indexed by w is b. Equivalently, seeing each point as an i-ary 
boolean function /, / € Fw,b iff f{w) = b. 

Proposition. The space E just defined is homeomorphic to the space HiewlO; 1}? 
the product space of lo copies of the binary discrete space. 

However, currently our results depend on the family of closed sets selected, 
and we cannot obtain the same theorems (yet?) for arbitrary homeomorphic 
copies of E. In any case, we are working with a quite familiar space; but the way 
we present it is tailored to reflect, within the product topology, considerations 
corresponding to a length-wise treatment of formal languages over a binary al- 
phabet; or to parallel the structure given by a family of boolean functions, one 
for each arity. Then, a component of a point of E, on a specific dimension, can 
be seen as a concept that we can try to learn. 
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4.1 The Consistency Dimension 

Many learning models have a combinatorial characterization of what is and what 
is not learnable, if we ignore up to polynomial space computations. For instance, 
a representation class is learnable from polynomially many labeled examples if 
and only if its Vapnik-Chervonenkis dimension is polynomial [2], We consider 
now a similar parameter due to Guijarro [4] (see also [1], where this definition 
appears as the variant called “sphere number”). 

An example of length n for a concept is just a pair (w, b) where w G {0, 1}” 
and b G {0, 1}. A subset A C {0, 1}" is consistent with it if b <^=y w £ A; this is 
naturally extended to define consistency with a set of examples. The consistency 
dimension Sji of a representation class R is the function that gives, for each m, 
the cardinality m) of the smallest set of examples that is not consistent 

with any subset of {0, 1}” assigned size at most m by the representation class; 
but such that it is minimally so. That is, removing any single example from 
it yields a set of examples that is consistent with some subset of {0,1}” (or: 
concept) representable within size at most m. 

The name stems from the fact that it can be rewritten equivalently in the 
following form [1]: within {0,1}”, and for d = SR[n,m), if all the subsamples 
of cardinality at most d of any arbitrary sample (or: set of examples) S are 
consistent with some concept of size m under R, then S itself is consistent with 
some concept of size m under R. Here the analogy to the Compactness Theorem 
is apparent, and motivates the theorem we state below. In the same reference, 
the following is proved: a representation class is learnable with polynomially 
many equivalence queries of polynomial size if and only if it has polynomially 
bounded consistency dimension. 

Given a representation class R, each size bound /i : IN hg IN defines a set 
A{R, h) = {f : {0, 1}* HG {0, 1} I R{f\n) < h{n)}. By viewing / as consisting of 
u> components, / = (/|o, f\i, ■ ■ ■ ,f\n: • • -)j each being a boolean function of arity 
n, being specified by 2” bits, and thus a member /|„ G 2^ = A„, we see that 
A{R, h) C E. The connection is now completed as follows. 

Theorem. As a subspace of E , the set A{R, h) is always compact, and the 
consistency dimension of R corresponds to the compactness rate of A[R,h), in 
the following sense: 

a/ For all n, 6R{n,h{n)) < d/,^R^R){n) 

b/ The bound is tight: for infinitely many n, 6R{n,h[n)) = d^i^RRyfn) 

Thus, for the model of learning from equivalence queries, we obtain the fol- 
lowing topological characterization (which we state only half-formally for now) 
of the representation classes that can be learned: 

Corollary. A representation class is polynomial- query learnable from equiva- 
lence queries iff all the compact sets obtained from, it by bounding the size have 
polynomially growing (w.r.t. the size bound) compactness rates. 
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5 Compactness in Terms of Convergence 

We consider now the following natural alternative. Instead of considering empty 
intersections of closed sets, one can consider families of closed sets that have 
nonempty intersection, and this is equivalent (via the adherence operator) to 
considering filters. Indeed, compact sets are also characterized by convergence 
of filters, and it is natural to wonder whether the compactness rate might have 
a corresponding characterization in terms of some sort of convergence moduli 
bounds. 

On the other hand, the appearance of the parameter n on the spreads can 
be rightfully critiziced as somewhat unnatural; an “artifact” designed essentially 
“to make the proof work”. On the other hand, in the space E we focus on, the 
very definition of filter offers, for a natural class of filter bases, a natural choice 
for the parameter n that we need, and this suggests an alternative, and maybe 
more pleasing, definition of compactness rate. 

We explain it in this section, and state that both are useful and comple- 
ment each other. Both characterize learnability, but in two related but different 
learning models. Thus, they are not equivalent. 



5.1 Prefilters 



Limits of filters can be defined equivalently as limits of filter bases consisting 
only of closed sets. Similarly to the previous case, we want to consider only basic 
closed sets; thus we consider prefilters: these are simply families of basic closed 
sets of the form tf }, having overall nonempty intersection. They are a particular 
form of filter bases; thus each prefilter generates the filter of all sets that contain 
some intersection of sets from the prefilter. Note that the previous section can 
be reformulated in terms of families of basic closed sets that are not prefilters. 
A prefilter converges if the intersection of the whole family is a single point. 
Convergence in a subspace is defined in the same manner on the traces of all the 
elements of the prefilter on the subspace, provided that the resulting family is 
still a prefilter (i.e. has nonempty intersection). 

The width of a prefilter T is the function wjz(n) that, at each n, gives the 
number of different elements of T of the form bfg, with |w| = n. Note that there 
are at most 2” of them since each w cannot appear both with b and —ib in tF, 
due to the nonempty intersection condition. 

Let Fhe a. prefilter that converges in the subspace A. The convergence delay 
of iF in A is the width of the smallest subprefilter of T that converges in A (and, 
a fortiori, towards the same limit). The general convergence delay of A is the 
largest convergence delay of a prefilter in A. (In principle, this might as well be 
undefined.) 

Our result regarding this notion (even more subject to potential mistakes 
than the previous one, though) is: 
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Theorem. A representation class is polynomial- query learnable from member- 
ship queries iff all the compact sets obtained from, it by bounding the size have 
polynomially growing (w.r.t. the size bound) general convergence delays. 

Again this characterization lies on a combinatorial characterization of the 
polyquery learning protocol. For membership queries, the concept of teaching 
dimension (see [3] and the references therein) was proved in [5] to characterize 
the model for projection-closed classes, which actually do encompass all classes 
of interest. Inspired by the definition of consistency dimension, we found a vari- 
ant that catches membership query learnability also for non-projection-closed 
classes. While this is uninteresting since no really new reasonable classes get 
captured, the cleaner form of the statement allows for a translation from the 
combinatorial setting into topology: it is exactly the bound on the convergence 
delay of prefilters. 

Thus, the way out we found, based on convergence issues, to circumvent the 
objections made to the concept of spread does not substitute, but in a sense 
complements, the notion; and certainly in a rather intriguing manner! 



6 Work in Progress 

We see quite a few additional aspects to be worked out, and we are actively (but, 
alas, slowly) pursuing some of them. 

6.1 Computational Learning Issues 

One clear limitation of this work is the restriction to “mean” algorithms. We 
are studying how to adjust the technicalities to capture algorithms that actually 
query hypothesis that are larger than necessary, since several of these do exist 
in the literature. Some of the results of [1] do apply to the general case, but not 
all. 

Another direction where a generalization of this work is needed is to im- 
proper learning; this simply means that the hypothesis are allowed to come from 
a different representation class. Several classes are not known to be learnable 
in terms of themselves, but become so when the hypothesis space allowed is 
enlarged. 

Starting from certificates and the consistency dimension, we then found new 
characterizations for membership queries (which lead to our result on prefilters); 
but moreover the shape of the expressions and their similarities suggest an avenue 
to work on similar characterizations for other learning protocols, and actually the 
scratch workpapers on our desks already have a solution for the case of learning 
from subset queries. It may have also a topological interpretation. Whereas, at 
the time of writing, all this material is extremely immature, please check with 
the author at the time of reading... 
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Globally, our vision would be a topologically suggested notion of “learnable” 
which would have as particular cases all (or, more modestly, a handful of) the 
learnability notions currently studied, which are incomparable among them. 



6.2 Logic Issues 

The major shortcoming of this preliminary work from the logic side is the re- 
striction to the rather trivial propositional case. We want to explore the alley of 
finite models from this perspective. One natural (maybe too trivial) possibility 
is as follows: the i-th factor space would not be the i-ary boolean functions but 
the set of strings encoding finite models for universe size i, and would have a 
length polynomial in i depending on the relational vocabulary. 

The dream at this point is: even though the standard Compactness Theorem 
of first-order logic is well-known to fail for the finite models world, might it 
be simply that we need to sharpen it a little with quantitative considerations 
in order to recover it? More generally, would a quantitative approach reunify 
Classical Model Theory with its stray offspring. Finite Model Theory, and in 
this manner enrich its cousin, a favorite of mine. Complexity Theory, with its 
nice arsenal of deep weapons? But this is just the dream. 



6.3 Topological Issues 

I am far from being a topologist, to the extent that I might be rediscovering the 
wheel all around here (although neither Altavista nor Infoseek seemed able to 
find too close together the words “quantitative” and “compactness” anywhere 
in the planet). Assume anyone would accept my bold claim that the notions of 
“topology” and “quantitative” are not mutually excluding. Then, clearly there 
are topological questions here, ranging from careful study of the details (might 
it be that A is not compact but some, or infinitely many, or almost all of the 
spreads are? how often can cIa be defined/undefined? does it make sense to 
speak of “closeness to compact” for noncompact subsets on the basis of these 
definitions?) to more general questions which I am not in a position to enumerate, 
but of which I will mention just one that worries me most. 

Not only we worked most of the time in a quite specific topological space, 
but we even fixed the family of basic closed sets. I am sure that a justification 
for this choice can be found, beyond its to me obvious naturality: something like 
“this choice gives values for the compactness rates that are in a sense extreme 
in comparison with any other choice of basic sets for the same topology” . This 
would be a very first step necessary before transfering any of the intuitions that 
one could get from here into products involving larger ordinals, or even arbitrary 
abstract topological spaces. 
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Abstract. Descriptive Complexity Theory studies the complexity of 
problems of the following type: 

Given a finite structure A and a sentence (p of some logic L, 
decide if A satisfies p? 

In this survey we discuss the parameterized complexity of such problems. 
Basically, this means that we ask under which circumstances we have an 
algorithm solving the problem in time /(|</3|)|| A||“, where / is a compu- 
table function and c > 0 a constant. We argue that the parameterized 
perspective is most appropriate for analyzing typical practical problems 
of the above form, which appear for example in database theory, auto- 
mated verification, and artificial intelligence. 



1 Introduction 

One of the main themes in descriptive complexity theory is to study the com- 
plexity of problems of the following type: 

Given a finite structure A and a sentence Lp of some logic L, decide if A 

satisfies (/3? 

This problem, let us call it the model-checking problem for L, has several natural 
variants. For example, given a structure A and a formula (p(x), we may want 
to compute the set of all tuples d <E A such that A satisfies (f{d), or we may 
just want to count the number of such tuples. Often, we fix the sentence cp in 
advance and consider the problem: Given a structure A, decide if A satisfies cp? 

Model-checking problems and their variants show up very naturally in various 
applications in computer science. Let us consider three important examples. 

Database Query Evaluation. Relational databases are finite relational struc- 
tures, and query languages are logics talking about these structures. Thus the 
problem of evaluating a Boolean query over a database D is just the model- 
checking problem for the query language. Evaluating a fc-ary query corresponds 
to the problem of finding all tuples in a structure satisfying a formula with k 
free variables. 

A very important class of queries is the class of conjunctive queries. Such a 
query can be described by a first-order formula of the form 0[x,y), where 
0{x,y) is a conjunction of atomic formulas in the variables x,y. 

Chandra and Merlin [CM77] noted that the model checking problem for con- 
junctive queries is essentially the same as the homomorphism problem: Given 
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two finite structures A and B of the same relational vocabulary r, decide if 
there is a homomorphism from A to B7 Remember that a homomorphism from 
A to B is a mapping h : A ^ B with the property that for all fc-ary R e t and 
(1 ^ such that R^a we have R^{h(ji)). 

To reduce the model- checking problem for conjunctive queries to the homo- 
morphism problem, with each formula Lp of vocabulary r with variables x\, . . . , 
Xn we associate a r-structure A^^ with universe A^^ = {xi, . . . , x„}, in which for 
fc-ary R <E r and x <E A^ we have R^‘f[x) if, and only if, R[x) is a subformula 
of Lp. Then if (/j(x) is a conjunction of atomic formulas, a structure B satisfies 
3xLp[x) if, and only if, there is a homomorphism from A^^ to B. For the other 
direction we proceed similarly; for each finite relational structure A we define a 
conjunctive query LpA that is satisfied by a structure B if, and only if, there is a 
homomorphism from A to B. 

Thus indeed the model-checking problem for conjunctive queries and the 
homomorphism problem are essentially the same. 

Constraint Satisfaction Problems. Feder and Vardi [FV93] gave the following 
elegant general formulation of a constraint satisfaction problem: Given two struc- 
tures I, called the instance, and T, called the template, find a homomorphism 
from I to T. 

Then more specific problems can be obtained by restricting instances and 
templates to be taken from certain classes of structures. For example, for the 
graph coloring problem we allow all (undirected, loop-free) graphs as instances 
and all complete graphs K^, for A; > 1, as templates. Another example of a 
constraint satisfaction problem is 3-satisfiability, we leave it as an exercise to 
the reader to formulate it as a homomorphism problem. 

We can conclude that a constraint satisfaction problem is basically the same 
as the model-checking problem for conjunctive queries. This is true, but for 
reasons we will explain later a different formulation of a constraint satisfaction 
problem as model-checking problem is more appropriate. Recall that monadic 
second-order logic is the extension of first-order logic by quantifiers ranging over 
sets of elements of a structure. It is easy to see that for each structure T there is 
a sentence cpT of monadic second-order logic of the form 3Ai . . Ci where 
-0 is a universal first-oder formula, such that a structure I satisfies Lpx if, and 
only if, there is a homomorphism from I to T [FV93]. 

Hence a constraint satisfaction problem is essentially a special case of the 
model- checking problem for monadic second-order logic. 

Model- Checking in Computer-Aided Verification. In the model checking ap- 
proach to verification of circuits and protocols, the formal design of the system 
is translated to a Kripke structure representing its state space. Then correctness 
conditions are formulated in a logic, for example CTL or the modal /x-calculus, 
and the model-checker automatically tests whether the Kripke structure satisfies 
the conditions. 

For the various logics used in this area, very good complexity bounds for 
the model-checking problem are known. However, the techniques to prove these 
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bounds are of a quite different flavor than those needed, say, to analyze first-order 
model- checking. We will not study such logics in this paper. 

Except for the modal and temporal logics used in verification, the complexity 
of model- checking problems is usually quite high. For example, model-checking 
for first-order logic is PSPACE-complete [SM73,Var82], and even for conjunctive 
queries it is NP-complete [CM77]. However, these complexity theoretic results 
are not really meaningful in many practical situations where the model-checking 
problems occur. In all the examples we have seen we can assume that usually 
the input formula Lp is quite small, whereas the structure A can be very large. 
(This, by the way, is the reason that in constraint satisfaction problems we wrote 
a formula representing the template and not the instance.) 

For that reason it is argued, for example in database theory, that we can 
assume that the length of the queries is bound by some small number I and then 
more or less neglect it. Indeed, evaluating a conjunctive query of length at most 
/ in a database of size n requires time at most 0(n*). For a fixed I this is in 
polynomial time and thus seems to be fine. Of course it is not. Even for a query 
length I = 5 this is far too much. On the other hand, a running time 0(2*n), 
which is still exponential in I, would be acceptable. Parameterized complexity 
theory has been developed to deal with exactly this kind of situation. 

Fixed-Parameter Tractability 

The idea of parameterized complexity theory is to parameterize a problem by 
some function of the input (such as, for example, the valence of the input graph) 
and then measure the complexity of the problem not only in terms of the size 
of the input, but also in terms of the parameter. This leads to a refined analysis 
of the complexity of the problem, which can be very useful if we have some 
additional information on the parameter, for example that it is usually “small” . 

Formally, a parameterized problem is a set P C if x iT , where if and U 
are finite alphabets. We usually represent a parameterized problem P in the 
following form: 



Input: I e S 
Parameter: tv e II 

Problem: Decide if {I, tv) € P. 



In most cases, we let II = {0,1} and consider the parameters tv <E II as 
natural numbers (in binary). Very often, a parameterized problem P is derived 
from a (classical decision) problem L C V by a parameterization p ■. P — t N 
in such a way that P = {(/, A;) | / € T, A; = p{I)}- Slightly abusing notation, we 
represent such a P in the form 



Input: / € if 
Parameter: p{l) 

Problem: Decide if i e L. 
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As an example, actually the most important example in this paper, consider 
the model-checking problem for first-order logic parameterized by the formula- 
length: 



Input: Structure A, FO-sentence p 
Parameter: \p>\ 

Problem: Decide if A satisfies <p. 



The following central definition is motivated by our considerations at the end 
of the last subsection. 

Definition 1. A parameterized problem T* C A X 77 is fixed-parameter trac- 
table if there is a function / : 77 — 1 N, a constant c € N and an algorithm that, 
given a pair (7,7 t) e A’ x 77 , decides if (7,7 t) e 7* in time . 

We denote the class of all fixed-parameter tractable problems by FPT. By 
FPL we denote the class of those problems P € FPT for which the constant c 
in Definition 1 can be chosen to be 1. 

Note that every decidable problem A C A has a parameterization p : P — i 
N such that the resulting parameterized problem P is trivially in FPL: Just let 
p{I) = |7|. The choice of a good parameterization is hence a crucial part of the 
complexity analysis of a problem. This remark is further illustrated by the follo- 
wing example. Recall that evaluation of conjunctive queries and the constraint 
satisfaction problem are both essentially the same as the homomorphism pro- 
blem. Nevertheless, we decided to consider the former as a special case of the 
model-checking problem for first-order logic and the latter as a special case of the 
model- checking problem for monadic second-order logic. Since the “generic” pa- 
rameterization of model-checking problems is by the length of the input formula, 
this just corresponds to two different parameterizations of the homomorphism 
problem, each of which is appropriate in the respective application. 

The theory of fixed-parameter tractability and intractability has mainly been 
developed by Downey and Fellows. For a comprehensive treatment of the theory 
I refer the reader to their recent monograph [DF99]. 

In this paper we study the complexity of model-checking and related pro- 
blems from the parameterized perspective. As argued above, proving that a 
model- checking problem is in FPT or, even better, in FPL often seems to be a 
much more meaningful statement than just the fact that for a fixed bound on 
the formula length a model-checking problem is in PTIME. In the context of 
database theory, the question of fixed-parameter tractability of query evaluation 
has first been brought up by Yannakakis [Yan95] . 

As one might expect, in general most model-checking problems are not fixed- 
parameter tractable. Therefore, Section 2 is devoted to intractability results. In 
the Sections 3 and 4 we discuss various restrictions leading to problems in FPT 
and FPL. We close the paper with a list of open problems. 

Although our main motivation is to use parameterized complexity theory for 
a refined analysis of typical problems of descriptive complexity theory, we will see 
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that parameterized complexity theory also benefits from the logical perspective 
of descriptive complexity theory. 



Preliminaries 

We assume that the reader has some background in logic and, in particular, is 
familiar with first-order logic FO and monadic second-order logic MSO. 

For convenience, we only consider relational vocabularies. ^ r always denotes 
a vocabulary. We denote the universe of a structure A by A. The interpretation 
of a relation symbol if € r in a r-structure A is denoted by R^. 

We only consider finite structures. The class of all (finite) structures is deno- 
ted by JF. If C is a class of structures, then C[t\ denotes the class of all r-structures 
in C. We consider graphs as {T’}-structures, where E is a binary relation symbol. 
Graphs are always undirected and loop-free. Q denotes the class of all graphs. 

We use RAMs as our underlying model of computations. The size of a r- 
structure A, denoted by ||A||, is defined to be |A| + ^ \^^\- When doing 

computations whose inputs are structures, we assume that the structures are 
given by an adjacency list representation. This is important when it comes to 
linear time complexity. For details on these sensitive issues I refer the reader to 
[See96] . 

2 Intractability 

In this section we give some evidence that for most of the logics we have discus- 
sed so far the model-checking problem is not in FPT. As it is often the case in 
complexity theory, we can not actually prove this, but only prove that all the 
model- checking problems are hard for a complexity class W[l], which is conjec- 
tured to contain FPT strictly. To do this we need a suitable concept of reduction 
that we introduce in a moment. 

However, before we do so we observe that for the MSO-model-checking pro- 
blem (parameterized by the formula length) we can show that it is not in FPT 
unless P = NP without any further knowledge of parameterized complexity 
theory. We just observe that there is an MSO-sentence x defining the class of all 
3-colorable graphs: 

X := 3X3Y3Z {Yx{Xx V Tx V Zx) 

f\X/x:'iy{Ex:y — ^ -<({Xx A Xy) \/ {Yx AYy) V {Zx: A Zj/))) j . 

Recall that if the model-checking problem for MSO was in FPT, there would 
be a function / : N — ^ N, a constant c € N, and an algorithm that, given a 
graph G and an MSO-sentence p>, would decide whether G satisfies Lp in time 
/(|(p|)n‘^, where n is the size of the input graph. Applied to the sentence y this 

^ All results we present here can be extended to vocabularies with function and con- 
stant symbols, see [FG99a] for details. 
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would yield an 0(n‘^)-algorithm for 3-colorability and thus imply that P = NP, 
because 3-Colorability is NP-complete [Kar72]. 

Definition 2. Let F C }J x U and F C (if ) x (77 ) be parameterized 
problems. 

F is parameterized m-redueible to F (we write F F), if there is a 
computable function f : U — t N, a constant c e N, a computable function 
g : n — t (77 ) , and an algorithm that, given e U x 77 , computes an 

7 <E {F ) in time /(7 t)| 7|‘^ such that 

(7,7t) e F (7 ,g{TT)) e 7* .2 



Observe that is transitive and that if F F and F e FPT then F e 
FPT. A parameterized complexity class is a class of parameterized problems that 
is downward closed under <^. For a parameterized problem F we let [7^]fp := 
{F I F F}, and for a family F of problems we let [V]^^ := p -p [7’]fp- 
Now we can define hardness and completeness of parameterized problems for a 
parameterized complexity class (under parameterized m-reductions) in the usual 
way. 

For a class C of r-structures and a class L of formulas we let MC(C, L) be 
the following parameterized model-checking problem: 



Input: A e C, (/7 € L 
Parameter: \g>\ 

Problem: Decide A \= :p. 



For an arbitrary class C of structures, MC(C,L) denotes the family of pro- 
blems MC(C[r],L), for all r. 

We call a first-order formula existential if it contains no universal quantifiers 
and if negation symbols only occur in front of atomic subformulas. EFO denotes 
the class of all existential FO-formulas. We let 

W[l] := [MC(^,EFO)]fp.3 

Recall that T denotes the class of all structures and Q denotes the class of 
graphs. Standard encoding techniques show that MC(f7, EEO) is complete for 
W[l], or equivalently, that [MC(g, EEO)]fp = W[l] [EG99a]. 

Let Clique be the parameterized problem 

2 This is what Downey and Fellows [DF99] call strongly uniformly parameterized 
m-reducible. They also use various other reduction concepts, most notably a para- 
meterized form of Turing reductions. 

® This is not Downey and Fellow’s original definition. See below for a discussion of the 
W-hierarchy. 
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Input: Graph G 
Parameter: A; € N 

Problem: Decide if G has a fc-clique. 



(A Ai-clique in a graph is a set of k pairwise connected vertices.) 

Theorem 1 ([DF95]). Clique is eomplete for W[l]. 

Proof. The problem is obviously contained in W[l], because for every k there is 
an EFO-sentence (actually a conjunctive query) of length bounded by a compu- 
table function of k that defines the class of all graphs with a fc-clique. 

For the hardness, we shall prove that MC(f7,EFO) <)p Clique. 

An atomie k-type (in the theory of graphs) is a sentence d(xi, . . . ,xt) of the 
form Ai<i<j<fe ^i)i where aij{xi,Xj) is either Xi = Xj or E{xi,Xj) or 

(->E{xi,Xj) A ~^Xi = Xj) (for 1 <i < j <k). 

It is easy to see that there is a computable mapping / that associates with 
each EFO-sentence :p a sentence ip of the form 

i 

\J 3xi . . ,3xk0i{xi, . . . ,Xk), (1) 

i=l 

where each Oi is an atomic fc-type, such that for all graphs G we have G \= 
Lp G \= (p. Furthermore, the mapping p p can be defined in such a 

way that k is precisely the length of p (this can simply be achieved by first 
adding “dummy” variables). Let ffx) be an upper bound on the time required 
to compute p for a formula p of length x. 

For each graph G and each atomic Ai-type 0[x) = Ai<i<j<fe ^^i) we 
define a graph h{G, 6) as follows: 

— The universe of h{G,6) is {!,... , A;} x G. 

— There is an edge between (i,u) and {j,w), for 1 < i < j < k and v,w £ G, 
if G 1= aij{v, w). 

Then h{G,0) contains a A;-clique if, and only if, G |= 3x0[x). 

Now we are ready to define the reduction from MC(fA, EFO) to Clique. 
We let c = 1 and g{k) = k. Given a graph G and a sentences p G EFO, our 
reduction-algorithm first computes p — \/\_y3x0i[x). Then for 1 < i < / it 
computes h{G, Oi), and the output is the disjoint union of all these graphs. This 
computation requires time 0{f{p)pm), where n = |G| and p = \p\. Thus we can 
let ffx) := df{x)x for a sufficiently large constant d. □ 

Letting CQ be the class of all conjunctive queries, we immediately obtain: 

Corollary 1 ([PY97]). MC(fA,CQ) is eomplete for W[l]. 

There is good reason to conjecture that W[l] ^ FPT (see [DF99]). If we 
believe this, model-checking is not even fixed-parameter tractable for existential 
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FO-formulas or conjunctive queries. How much harder will it be for arbitrary 
formulas? 

Actually, Downey and Fellows defined a whole hierarchy W[l] C W[2] C • • • 
of parameterized complexity classes, and they conjecture that this hierarchy is 
strict. Their definition of this W-hierarchy is in terms of the circuit value problem 
for certain classes of Boolean circuits. It is not hard to prove, though, that their 
definition of W[l] is equivalent to ours. 

For i > 1, we let Ui denote the class of all FO-formulas in prenex normal 
form that have i alternating blocks of quantifiers, starting with an existential 
quantifier. Coming from our definition of W[l] in terms of model-checking for 
existential FO-formulas, it is tempting to conjecture that for i > 2, the class 
W[i] coincides with the class A[i] := [MC(lF, Ai)]^p. This is an open question, 
but I tend to believe that A[i] y? W[i] for all i > 2 (see [FG99a,DFR98] for a 
discussion). 

In any case, the intuition that the W-hierarchy is closely related to quantifier- 
alternation in FO-model-checking problems is justified. For / > 1, i > 2 we let 
be the set of all AVformulas with at most I quantifiers in all quantifier blocks 
except for the first. For example. 



3xi . . . 3xkyy^zi3z2ywi\/w2 0 



with a quantifier-free <1 is a A 4 ^ 2 -formula. 

Theorem 2 ([DFR98,FG99a]^). For all i > 1 we have 



W[i] = 






i>i 



J fp 



[MC(^,A,,i)],p. 



On top of the W-hierarchy, Downey and Fellows have studied lots of other 
parameterized complexity classes. Notably, Downey, Fellows and Taylor [DFT96] 
proved that the problem MC(f7, FO), model-checking for FO, is complete for the 
class AW)*] (for a definition of this class I refer the reader to [DF99]). 



3 Tractable Cases I: Simple Structures 

In this section we study tractable cases of the model-checking problems that 
are obtained by restricting the class of input structures. We prove a theorem of 
Courcelle stating that MSO-model-checking is in FPL if parameterized by the 
formula length and the tree-width of the input structure. 

Recall that a tree is a connected acyclic graph. 

The union ■ j Ai oi r-structures Ai is the r-structure A with universe 
A= i I Ai and ^ . If A is a r-structure and B G A, then {B)^ 

denotes the substructure induced by A on R. 

The first equality is due to [DFR98], the second due to [FG99a]. 
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Definition 3. (1) A tree- decomposition of a structure A is a pair {T,{At)t t) 
consisting of a tree T and a family At of subsets of A (for tel’) such that 
{At)^ = A and for all a e A, the set {t | a e At} induces a subtree of T 
(that is, is connected). The sets At are called the parts of the decomposition. 

(2) The width of (T, {At)t t) is defined to be max{|At| | t G T} — 1. 

(3) The tree-width of A, denoted by tw(A), is the minimal width of a tree- 
decomposition of A. 

Trees and forests have tree-width 1 and series-parallel graphs (in particular 
cycles) have tree-width < 2. Note that a graph of size n has tree-width at most 
n — 1. An n-clique has tree- width {n — 1), an (n x n)-grid has tree- width n 
(see [Die97]), and a random graph of order n with edge probability ^ - has 
tree- width n — o{n) almost surely [GL]. 

Tree-decompositions and tree- width have been introduced by Halin [Hal76], 
and later independently by Robertson and Seymour [RS86a]. They are of great 
importance in graph theory and the theory of algorithms. Many NP-hard algo- 
rithmic problems on graphs belong to FPL when parameterized by the tree- width 
of the input graph (see, for example, the survey [Bod97]). 

Computing a tree-decomposition of a given graph is NP-complete [ACP87]. 
However, if parameterized by the tree-width of the input structure, the problem 
is fixed-parameter tractable by the following deep theorem of Bodlaender. 

Theorem 3 ([Bod96]). There is an algorithm that, given a graph G, compu- 
tes a tree-decomposition of G of minimal width in time 0(2^’(*"'(^))|G|) (for a 
suitable polynomial p{X) ). 

It is not hard to see that for arbitrary r the analogous result for r-structures 
follows. 

Theorem 4 ([Cou90]). For every vocabulary r, the following parameterized 
problem is in FPL.- 



Input: r-structure A, MSO-sentence (/? 
Parameter: (tw(A), |(/3|) 

Problem: Decide if A |= (/?. 



Let us recall what exactly this result means (cf. Page 16 for the precise de- 
finitions): Suppose that we encode pairs [A,Lp) by a suitable mapping enc : 
IF[t\ X MSO — ^ {0, 1} . Then formally the parameterized problem we consider is 

{ (enc(A, p>), {k, /)) | A G X[t],(p g MSO, k = tw(A), f = \'p\,A \= p>}. 

Thus the theorem states that there is a computable function / : ^ N and 

an algorithm that, given (enc( A, (/?), (A;, /)) , decides if A; = tw(A), I = \p>\, and 
A 1= (/3 in time at most f{k, l)n. 

The proof requires some preparation. 
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Once we have declared a node r in a tree T to be the root we can direct the 
edges and speak of the children of a node and its parent. A proper binary rooted 
tree is a rooted tree ( T, r) where every vertex either has two children or none. 

It will be convenient for us to work with tree-decompositions of the follo- 
wing form: A speeial tree- decomposition (STD) of width w of a structure A 
is a triple {T,r,{d*)t t) where {T,r) is a proper binary rooted tree, d* := 
(uq, . . . , a^) is a (w -|- l)-tuple of elements of A, and ( T, ({uoj • • • j ®L})t t) is a 
tree-decomposition of A. Let us mention explicitly that two distinct tree-nodes 
of a tree-decomposition may have identical parts. 

It is easy to see that a given tree-decomposition of a graph can be transferred 
to an STD of the same width in linear time. 

The quantifier-rank of an MSO-formula Lp is the maximal number of nested 
quantifiers in Lp. Let </ > 1. An MSOg k-type (of vocabulary r) is a set of MSO- 
formulas of quantifier rank at most q whose free variables are contained in a fixed 
set {xi . . . The MSOg type tpg(d, A) of a fc-tuple d € in a r-structure 

A is defined to be the set of all MSO-formulas p){x) of quantifier-rank at most 
q such that A \= (p{d). 

It is easy to see that, up to logical equivalence, there are only finitely many 
MSO-formulas of vocabulary r with free variables in {x\ ... ,Xfe} of quantifier 
rank at most q. Thus for all k,q G N, up to logical equivalence there are only 
finitely many MSO^ fc-types, and every MSOg fc-types has a finite description. 

Proof (of Theorem f): Let p) be an MSO-sentence of quantifier-rank q. Fur- 
thermore, let A be a r-structure and {T,r,[(P)t t) an STD of A of width 
w := tw(A). 

For every t G T, we let At := {uq, . . . and Bf := ^^TgAg, where 
denotes the natural partial order associated with the tree (in which the root is 
minimal) . Note that for leaves t we have Bt = At and for parents t with children 
u and u we have Bt = At U B^ U B^' and B^ O B^' Q At . 

Standard techniques from logic (Ehrenfeucht-Fraisse games) easily show that 
for every parent t with children u,u , type{t) := tpg(d*, {Bt)^) only depends on 
the following finite pieces of information: 

(1) The isomorphism type of the substructure induced by d*, that is, 

partft) :={(x,y) |0<x<j/<w,a^ = a* } 

U{i?( x) I i? G T fc-ary, x G {0, . . . such that , • • • , )} 

(2) The (/-type of the subtree below u, and how the parts at u and t intersect: 

type{u), is{u, t) := {(x, y) | 0 < x, y < w, a“ = a* }. 

(3) The (/-type of the subtree below u , and how the parts at u and t intersect: 

type{u), is{u ,t)- 
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For a leaf t, the (/-type type{t) only depends on part{t). 

In other words, there are finite functions and such that for all 

r-structures A with STD {T,r,[(A)t t) of width w we have 

type{i) —Ug^^ (^part{t),type{u),is{u,t),typ^{^ ),is(w ,t)) 

for all parent nodes t £ T with children u, u , 
type{t) =Ag^w{part{t)) for all leaves t e T. 

The functions Ilg ,^ and Ag .^ only depend on q and w, but not on the input 
structure A. Furthermore, there is an algorithm that, given q and w, computes 
Ilg^w and Ag^w and stores them in look-up tables. 

Finally, recall that {Br)^ = A and {A\= 'p 4=y p e tpg{d'^ , A)) (because 
the quantifier rank of p is q). 

It is now easy to verify that the algorithm in Figure 1 solves the MSO-model- 
checking problem in time /(tw( G), |(/9|)|G| for a computable /. The statement 
of the theorem follows, because the problem of deciding whether the tree-width 
of a graph is w, parameterized by w, is in FPL (by Bodlaender’s theorem). 



MoDELCHECK(Structure A, MSO-sentence p) 

1 Compute STD (T, r, [at)teT) of A of width w := tw(j4) 

2 q := qr((p) 

3 Compute Aq^m and Ilq^w 
^ t := TYPE(r) 

5 if € t then accept else reject. 

Type (Tree-Node t) 

6 Compute pari{t) 

I if t is leaf 

8 then return (^Aq^m{part{t))^ 

9 else 

10 u := first chiid of t; u':= second child of t 

II Compute is(u,i) and is(u' ,i) 

12 return (7Tg,„(por/(t), Type(m), isiu, t), Type(u'), is(u' A)))- 



Figure 1. MSO-model-checking 



□ 

Courcelle proved his theorem for graphs and hypergraphs. He uses a version 
of MSO in which one is allowed to quantify not only over sets of vertices of 
a graph, but also over sets of edges. This version is clearly more expressive. 
However, there is a natural way of including it into our framework: We encode 
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graphs as incidence structures of vocabulary {V, W,l] with unary V, W and 
binary 1. With a graph G = (G,E^) we associate an {V, VK, 7 }-structure I{G) 
whose universe is the disjoint union of the vertex set and the edge set W'^ 
in the obvious way. Then a class C of graphs is definable in Courcelle’s MSO if, 
and only if, the class {I{G) \ G G C} is definable in our MSO. 

It is a nice exercise to prove that for each graph G we have tw( G) = tw(/ ( G)) 
(and not only the trivial tw(7(G)) < tw(G) + Thus Theorem 4 is 

valid for both versions of MSO. 

Arnborg, Lagergren and Seese [ALS91] proved extensions of Courcelle’s Theo- 
rem for MSO-definable counting and optimization problems. Courcelle, Makow- 
sky, and Rotics [CMR98] consider another, more liberal parameter of graphs cal- 
led clique-width. They prove that if a graph comes with a clique-decomposition 
(the analogue of a tree-decomposition for clique-width) of bounded width, then 
MSO-model-checking is still possible in polynomial time. The problem with this 
approach is that it is not known if such a decomposition can be computed in 
polynomial time even for fixed clique-width 4. 

However, there is not much room for extensions of Courcelle’s theorem to 
other natural classes of structures. 3-Colorability is already NP-complete 
on planar graphs of valence 4 [GJS76]. This implies that, unless P=NP, for 
every class C of graphs that contains all planar graphs of valence 4 the problem 
MC(C,MSO) is not in FPT. 

Let us turn to FO-model-checking. With each r-structure A we associate a 
graph G{A), called the Gaifman graph of A. The universe of G{A) is A, and 
there is an edge between two distinct elements a,b G A if there is a relation 
R G r and a tuple c G such that both a, and b occur in c. The valence of 
a structure A, denoted by val(A), is defined to be the valence of its Gaifman 
graph, that is, val(A) := max{|{fe | E'^^^\a,b)}\ a G A}. 

Using Hanf’s Sphere Theorem [Han65], Seese proved the following: 

Theorem 5 ([See96]). For every vocabulary r, the following parameterized 
problem is in FPL.- 



Input: r-structure A, FO-sentence (f 
Parameter: (val(A), \p>\) 

Problem: Decide if A |= (/?. 



A more general approach is based on Gaifman’s locality theorem [Gai82]. 
The distance d^{a,b) between two elements a,fe of a structure A is the length 
of the shortest path between a and b in G{A). The r -neighborhood of a is the 
set A^(a) := {b e A \ d^{a, b) < r}. 

Definition 4. The local tree-width of a structure A is the function Itw(A) : 
N — ^ N defined by ltw(A)(r) := max {tw((A^(a))^) | a G A}. 

A class C of structures has bounded local tree-width if there is a function 
A : N — ^ N such that ltw(A)(r) < A(r) for all A G C, r G N. 
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Surprisingly, there are many natural examples of classes of graphs of bounded 
local tree-width, among them all classes of bounded tree-width, bounded valence, 
and bounded genus.® 

Theorem 6 ([FG99b]). Let C be a elass of graphs of bounded local tree-width. 
Then the problem MC(C,FO) is solvable in time f{\(p\)n'^ for a suitable f and 
thus in FPT. 

A refinement of bounded local tree-width is the notion of a loeally tree- 
deeomposable class of graphs; all the examples of classes of bounded local tree- 
width that we mentioned above are also locally tree-decomposable. For such 
classes the FO-model-checking is in FPL. This yields both Seese’s Theorem 5 
and the following result. Its proof also uses a theorem of Mohar [Moh96] stating 
that for every surface S there is a linear time algorithm deciding whether a given 
graph can be embedded into the orientable surface of genus g. 

Theorem 7 ([FG99b]). The following parameterized problem is in FPL.- 



Input: Graph G, FO-sentence :p 
Parameter: (genus(G), |(/3|) 

Problem: Decide if G \= pi. 



The final result of this section is based on deep graph theoretic results due 
to Robertson and Seymour [RS95,RS]. A minor of a graph G is a graph that is 
obtained from a subgraph of G by contracting edges. 

Theorem 8 ([FG99a]). LetC be a elass of graphs sueh that there exists a graph 
that is not a minor of a graph in C. Then MC(C, FO) is in FPT. 

Robertson and Seymour proved that a class C of graphs has bounded tree- 
width if, and only if, there is a planar graph that is not a minor of a graph in C 
[RS86b]. Putting things together, we obtain a nice corollary: 

Corollary 2. Let C be a class of graphs that is closed under taking minors. 

(1) Assume that P ^ NP. Then MC{C, MSO) is in FPT if, and only if, C has 
bounded tree-width. 

(2) Assume that FPT ^ W[l]. Then MC(C,YO) is in FPT if, and only if, C is 
not the class of all graphs. 



® The genus of a graph G is the least genus of an orientable surface in which G is 
embeddable. Thus the graphs of genus 0 are just the planar graphs. A class of graphs 
has bounded tree- width /valence/ genus if there is a constant bounding the respective 
number for all graphs in the class. 
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Remark 1. The results of this section show that on many classes of graphs the 
model- checking problem for MSO and FO can be solved in time /(|(/3|)||A||‘^ for 
some function / and a constant c (usually c = 1). 

We never specified /. In all results except Theorem 5, / is a tower of 2s whose 
height is roughly the number of quantifier-alternations in the input formula. This 
is basically due to the enormous number of MSO^ types and FO, types. Even 
in Theorem 5, / is at least doubly exponential. 

This makes the algorithms that can be derived from these results useless for 
practical applications. The benefit of the results is to provide a simple way to 
recognize a property as being linear time computable on certain classes of graphs 
(by expressing it in MSO or FO). Analyzing the combinatorics of the specific 
property then, one may also find a practical algorithm. 

4 Tractable Cases II: Simple Formulas 

This final section is devoted to tractable cases of the model-checking problems 
obtained by restricting the second part of the input, the sentence Lp. The com- 
plexity of model-checking is known to be intimately linked to the number of 
variables in Lp [Var95]. We might try to parameterize the FO-model-checking 
problem by the number of variables instead of the formula-length, but since the 
formula-length is an upper bound for the number of variables this makes the 
model- checking problem only harder (and thus even “more intractable”). 

However, if we fix the number of variables in advance we obtain not only 
fixed-parameter tractability, but actually polynomial-time computability: Vardi 
proved that the problem MC(iF[r],FO'’) is solvable in time 0(n®) [Var95]. Here 
FO'* (for s > 1) denotes the fragment of FO consisting of all formulas with at 
most s variables. Similar results hold for the finite-variable fragments of other 
logics, for example least fixed-point logic [Var95]. 

The finite-variable fragments of least fixed-point logic can also be used to 
give a descriptive characterization of the class FPT in the style of the well-known 
Immerman- Vardi Theorem [Imm86,Var82]. To formulate this, it is convenient to 
consider a parameterized problem as a class P C (9[r] x N for some vocabulary 
r, where 0[t] denotes the class of ordered r-structures. Then F is in FPT if, 
and only if, there is an s > 1 and a computable sequence {<Pk)k>i of least-fixed 
point formulas with at most s variables and at most one fixed-point operator 
such that for all k > I, cpk defines the class {A \ {A,k) e P} [FG99a]. 

The rest of this section is devoted to various refinements of model-checking for 
Ai-formulas. Remember that Ai-formulas are EFO-formulas in prenex normal 
form. Recall the definition of the structure A^^ associated with a formula pi 
(cf. Page 15). The tree-width of a formula p is defined to be the tree-width of 
A^. Kolaitis and Vardi [KV98] observed that, for all s > 1, every Vi-sentence of 
tree- width at most s can be effectively transformed into an equivalent existential 
FO®+^-sentence. This implies: 

Theorem 9 ([FG99a]). Model-checking for Fi-sentences of tree-width at most 
s is in FPT. 
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Note that this does not extend to arbitrary EFO-sentences, because for every 
k > 3 the EFO-sentence 3xi . . . Bx^ Ai<i<j<fc = Xi A z = Xj A E(y, z)), 

saying that a graph contains a fc-clique, has tree-width 3. 

The following extension of Theorem 9 is based on a theorem of Plehn and 
Voigt [PV90] stating that for every w > 1 the following restriction of the sub- 
graph isomorphism problem can be solved in time f{\H\)\G\^^^ , for a suitable 
function /: 



Input: Graphs G,H with tw(H) < w 
Parameter: \H\ 

Problem: Decide if H is isomorphic to a subgraph of G. 



Recall that negation symbols in an EFO-formula only occur in front of atomic 
subformulas. For a formula (/?, we let result of deleting all subformulas 

of the form —ix = y from :p. The modified tree-width of (/? is defined to be tw((/9_^). 

Theorem 10 ([FG99a]). Let w > 1 and the set of all Vi -sentences of mo- 
dified tree-width at mostw. Then MC(iP, is in FPT. 

Papadimitriou and Yannakakis [PY97] proved a special case of this theorem 
for so-called acyclic queries. They also observed that the problem MC(JP, is 
NP-complete even for the class <P of all Vi-sentences with modified tree-width 
1. To see this, note that the existence of a hamiltonian path is subsumed by this 
model- checking problem. 

Proof (of Theorem 10): It clearly suffices to prove the result for formulas of the 
form Bx6[x), where <1 is a conjunction of atomic and negated atomic formulas, 
because every Vi-formula yy can be effectively transformed to an equivalent 
disjunction of formulas of this form that contains precisely the same atomic 
formulas as pi and thus has the same modified tree-width. 

So we have to find an algorithm that, given a r-structure A and a sentence 
p = Bxi . . .Bxk6(xi, . . . ,Xfe) G of modified tree-width at most w, where is a 
conjunction of atoms or negated atoms, decides \I A\= p. 

Our algorithm is based on the so-called color eoding technique introduced 
by Alon, Yuster and Zwick [AYZ95]. We only present a Monte Carlo algorithm 
solving the problem in time /(|(/3|)|A|“’+^. This algorithm can be derandomized 
using a fc-perfect family of hash-functions ([SS90,AYZ95]). 

A coloring of (/7 is a mapping 7 : {!,... , A;} — ^ {!,... , A;} such that p{i) 
7(7) if -iXi = Xj occurs in 0. For each coloring 7 we let p-f be the formula obtained 
by deleting literals ->Xi = Xj in 6 and adding atoms G„ppXi for 1 < i < A;. Note 
that tw((/3.y) = tw((/9_^) = vj. 

A coloring of A. is a partition of A into sets (7^, . . . , G^ . 

Observe that A\= p and only if, there is a coloring p of p and a coloring 
Gf, ... ,G^ of A such that {A, Gf,... ,G^)\= p^. 

For all colorings p of p we do the following: We randomly and indepen- 
dently choose a color for each a e A. Let Gf, . . . , Gf be the resulting coloring. 
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Then we check if {A, Cf , . . . , C^) \= fj, which is possible in time 0(|(/3 ||j 4|“’+^) 
by Theorem 9. Note that if there is no coloring Cf,... ,(7^ of A such that 
(A,Cf, . . . ,C^) 1= Lp,y, this will certainly not be the case. On the other hand, 
if there is such a coloring it will be the case with probability > . 

Repeating this procedure f{k) = [log(2)A;^] times, we will get the correct 
answer with probability at least | . □ 

Remark 2. The running time of the last algorithm can be considerably impro- 
ved by only coloring, with the least possible number of colors, the set of those 
variables that actually appear in an inequality. 

5 Open Problems 

(1) (cf. Page 21) Do the W-hierarchy and the A-hierarchy coincide, or is at least 
W[2] = A[2]? 

(2) (cf. Theorem 6) Let C be a class of graphs of bounded local tree-width. Is 
the problem MC(C,FO) in FPL? 

(3) (cf. Theorem 8) For k >1, let ICk be the class of graphs that do not contain 
the complete graph as a minor. Note that for every class C of graphs such 
that there exists a graph that is not a minor of a graph in C there exists a 
A; > 1 such that C C )Ck- Is the following problem in FPT or even FPL? 



Input: Graph G, FO-sentence cp 
Parameter: (min{A; | G e /Cfe}, \p\) 
Problem: Decide if G satisfies p. 



(4) Let W be the class of words. Is there a constant c > 1 such that MC(>V,FO) 
is solvable in time 0(2l'^ln‘^)? If this is the case, how about the class of trees, 
planar graphs, et cetera? 

(5) Let Gk denote the {k x fc)-grid. Is the following problem in FPT? 



Input: Graph G 
Parameter: A; e N 

Problem: Decide if there is a homomorphism h : Gk — ^ G. 



A negative answer to this question would imply the following: Let C be a 
class of graphs that is closed under taking minors and let <P be the class of 
all Si-formulas p such that A^p e C. Then MC(lF, is in FPT if, and only 
if, C has bounded tree-width (cf. [FG99a]). 
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Abstract. Various logic-based frameworks have been proposed for spe- 
cifying the operational semantics of programming languages and con- 
current systems, including inference systems in the styles advocated by 
Plotkin and by Kahn, Horn logic, equational specifications, reduction 
systems for evaluation contexts, rewriting logic, and tile logic. 

We consider the relationship between these frameworks, and assess their 
respective merits and drawbacks — especially with regard to the modula- 
rity of specifications, which is a crucial feature for scaling up to practical 
applications. We also report on recent work towards the use of the Maude 
system (which provides an efficient implementation of rewriting logic) as 
a meta-tool for operational semantics. 



1 Introduction 

The designers, implementors, and users of a programming language all need to 
acquire an intrinsically operational understanding of its semantics. Programming 
language reference manuals attempt to provide such an understanding using 
informal, natural language; but they are prone to ambiguity, inconsistency, and 
incompleteness, and totally unsuitable as a basis for sound reasoning about the 
effects of executing programs — especially when concurrency is involved. 

Various mathematical frameworks have been proposed for giving formal de- 
scriptions of programming language semantics. Denotational semantics generally 
tries to avoid direct reference to operational notions, and its abstract domain- 
theoretic basis remains somewhat inaccessible to most programmers (although 
modelling programs as higher-order functions has certainly given useful insight 
to language designers and to theoreticians). Operational semantics, which direc- 
tly aims to model the program execution process, is generally based on familiar 
first-order notions; it has become quite popular, and has been preferred to denot- 
ational semantics for defining programming languages [28] and process algebras 
[26]. 

Despite the relative popularity of operational semantics, there have been 
some “semantic engineering” problems with scaling up to descriptions of full 
practical programming languages. A significant feature that facilitates scaling-up 
is good modularity: the formulation of the description of one construct should 
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not depend on the presence (or absence) of other constructs in the language. 
Recently, the author has proposed a solution to the modularity problem for the 
structural approach to operational semantics [31,32]. 

There are different ways of specifying operational semantics for a program- 
ming language: an interpreter for programs — written in some (other) program- 
ming language, or defined mathematically as an abstract machine — is an algo- 
rithmie specification, determining how to execute programs; a logie for inferring 
judgements about program executions is a deelarative specification, determining 
what program executions are allowed, but leaving how to find them to logical 
inference. Following Plotkin’s seminal work [37], much interest has focussed on 
logical specification of operational semantics. 

In fact various kinds of logic have been found useful for specifying operational 
semantics: arbitrary inference systems, natural deduction systems, Horn logic, 
equational logic, rewriting logic, and tile logic, among others. Sections 2 and 3 
review and consider the relationship between these applied logics, pointing out 
some of their merits and drawbacks — especially with regard to the modularity 
of specifications. The brief descriptions of the various logics are supplemented 
by illustrative examples of their use. It is hoped that the survey thus provided 
will be useful as an introduction to the main techniques available for logical 
specification of operational semantics. 

The inference of a program execution in some logic is clearly not the same 
thing as the inferred execution itself. Nevertheless, a system implementing lo- 
gical inference may be used to execute programs according to their operational 
semantics. Section 4 reports on recent work towards the use of the Maude system 
(which provides an efficient implementation of rewriting logic) as a meta-tool for 
operational semantics. 

2 Varieties of Structural Operational Semantics 

The structural style of operational semantics (SOS) is to specify inference rules 
for steps (or transitions) that may be made not only by whole programs but 
also by their constituent phrases: expressions, statements, declarations, etc. The 
steps allowed for a compound phrase are generally determined by the steps allo- 
wed for its component phrases, i.e., the steps are defined inductively according 
the (abstract) syntax of the described programming language. An atomic as- 
sertion of the specified logic (such as 7 — ^ 7 ) asserts the possibility of a step 
from one configuration 7 to another 7 . Some configurations are usually distin- 
guished as terminal, and have no further steps, whereas initial and intermediate 
configurations have phrases that remain to be executed as components. 

Small-step SOS: In so-called small-step SOS [37], a single step for an atomic 
phrase often gives rise to a single step for its enclosing phrase (and thus ulti- 
mately for the whole program). A complete program execution is modelled as a 
succession — possibly infinite — of these small steps. During such a program exe- 
cution, phrases whose execution has terminated get replaced by the values that 
they have computed. 
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Suppose that an abstract syntax for expressions e includes also values v. 

e ::= u | if Cq then e\ else 62 | . . . 

V ::= true \ false | . . . 

Here are a couple of typical examples of inference rules for small-step SOS, to 
illustrate the above points: 



^ 

if Cq then Ci else 62 





if Cq then Ci else 62 



( 1 ) 



if true then Ci else 62 — ^ if false then ei else 62 — ^ 62 (2) 

In the lack of further rules for if cq then ei else 62, it is easy to see that the 
intended operational semantics has been specified: the sub-expression cq must 
be executed first, and if that execution terminates with a truth-value, only one 
of Cl, 62 will then be executed. 



Big-step SOS: In big-step SOS [17], a step for a phrase always corresponds to 
its entire (terminating) execution, so no iteration of steps is needed. A step 
for a compound phrase thus depends on steps for all those component phrases 
that have to be executed. (Big-step SOS has been dubbed Natural Semantics 
since the inference rules may resemble those of Natural Deduction proof systems 
[17].) Here is an example, where the notation e Jj. u asserts the possibility of the 
evaluation (i.e., execution) of e terminating with value v. 

Co !]• true Cl Jj. ui cq !]• false 62 !]• V2 

if Cq then Ci else 62 !]• Vi if Cq then Ci else 62 !]• V2 

The intended operational semantics, where cq is supposed to be executed before 
ei or 62, is not so evident here as it is in the small-step SOS rules. In other 
examples, however, explicit data dependencies may indicate the flow of control 
more clearly. 

Big-step SOS cannot express the possibility of non-terminating executions, 
and thus it appears ill-suited to the description of reactive systems. However, 
the possibility of non-termination may be specified separately [8] . 

Note that small- and big-step SOS may be used together in the same de- 
scription, e.g. big-step for modelling expression evaluation and small-step for 
modelling statement execution. Moreover, the transitive closure of the small- 
step relation (restricted to appropriate types of arguments) provides the big-step 
relation between phrases and their computed values. 



Substitution: Binding constructs of programming languages, such as declarations 
and formal parameters, give rise to open phrases with free variables; however, 
these phrases do not get executed until the values to be bound to the free varia- 
bles have actually been determined. Thus one possibility is to replace the free 
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variables by their values, producing a closed phrase, using a substitution opera- 
tion (here written [u/x]e). However, the definition of substitution itself can be 
somewhat tedious — in practice, it is often left to the reader’s imagination (as 
here): 



ei 

let X = Cl in 62 



^ 

let X = 



in 62 



(4) 



let X = v\ in 62 — ^ [ui/x]e2 (5) 

There is obviously no need to give a rule for evaluating a variable x to its value 
when using substitution. 



Environments: An alternative approach, inspired by the treatment of binding 
constructs in denotational semantics and in Landin’s work [18], is to use environ- 
ments p: a judgement then has the form p h 7 — f 7 . In effect, the environment 
keeps track of the relevant substitutions that could have been made; the com- 
bination (often referred to as a closure) of an open phrase and an appropriate 
environment is obviously equivalent to a closed phrase. Environments are parti- 
cularly simple to use in big-step SOS, but in small-step SOS, auxiliary syntax 
for explicit closures may have to be added to the described language (Plotkin 
managed to avoid adding auxiliary syntax in [37] only because the example lan- 
guage that he described already had a form of local declaration that was general 
enough to express closures). Here is the same example as described above, but 
now using environments instead of substitution: 



p h 6i 

p h let X = 6i in 62 




^ 

let X = Cl in 62 



(6) 



p[x H- ^ u] h 62 



p h let X = Vi in 62 — ^ let x = Vi in 62 



(7) 



p h let X = V\ in V2 — ^ V2 (8) 

Here, in contrast to when using substitution, a rule is needed for evaluating the 
use of a variable x occurring in an expression e: 



p(x) = V 

p h X — ^ V 



(9) 



The equation p(x) = v above is formally regarded as a side- condition on the 
inference rule, although for notational convenience it is written as an antecedent 
of the rule. It restricts the conclusion of the rule to the case that the environment 
p does indeed provide a value v for x. Note that proofs of steps do not explicitly 
involve proofs of side-conditions. 
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Stores: For describing imperative programming languages, where the values last 
assigned to variables have to be kept for future reference, configurations are 
usually pairs of phrases and stores. Thus a judgement might have the form 
p e,s — ^ e , s . Stores themselves are simply (finite) maps from locations to 

stored values. Unfortunately, adding stores to configurations invalidates all our 
previous rules, which should now be reformulated before being extended with 
rules for imperative phrases. For instance: 



p h ei, s ■ 



-'ll " 



p h let X = Cl in 62, s — ^ let x = in 62, s 



(10) 



p[x I— ^ u] h 62, S ^ 62, S 

p h let X = Vi in 62, s — ^ let x = V\ in 63, s 

p h let X = Vi in U 2 , s — ^ V2^ s 

p(x) = V 
p h X, s — ^ u, s 



( 11 ) 

( 12 ) 

(13) 



The need for this kind of reformulation reflects the poor inherent modularity of 
SOS. Later in this section, however, we shall see how the modularity of SOS can 
be significantly improved. 

The following rules illustrate the SOS description of variable allocation, as- 
signment, and dereferencing (assuming that locations I are not values v): 



I ^ dom(s) 

p h ref V, s — ^ I, s[/ 1 — ^ v] 

I G dom(s) 

p h / := v,s — ^ ( ), s[l I— ^ v] 

p(x) = I s{l) = V 
p h X, s — ^ u, s 



(14) 

(15) 

(16) 



Conventions: A major example of an operational semantics of a programming 
language is the definition of Standard ML (SML) [28]. It is a big-step SOS, 
using environments and stores. A couple of “conventions” have been introduced 
to abbreviate the rules: one of them allows the store to be elided from configu- 
rations, relying on the flow of control to sequence assignments to variables; the 
other caters for raised exceptions preempting the normal sequence of evaluation 
of expressions. Although these conventions achieve a reasonable degree of con- 
ciseness, the need for them perhaps indicates that the big-step style of SOS has 
some pragmatic problems with scaling up to languages such as SML. Moreover, 
they make it difficult to exploit the definition of SML directly for verification or 
prototyping. 

Recently, an alternative definition of SML has been proposed [15], without 
the need for the kind of conventions used in the original definition. SML is first 




Logical Specification of Operational Semantics 



37 



translated into an “internal language”, which is itself defined by a (small-step) 
reduction semantics, see Sect. 3. (The translation of SML to the internal language 
is itself specified using a big-step SOS, but that aspect of the approach seems to 
be inessential.) A similar technique is used in the action semantics framework 
[29,30], where programs are mapped to an action notation that has already been 
defined using a (small-step) SOS. 

Process Calculi: Small-step SOS is a particularly popular framework for the se- 
mantic description of calculi for concurrent processes, such as CCS. There, steps 
are generally labelled, and judgements have the form j 7 . For CCS, labels 
a range over atomic “actions”, and for each action I there is a complementary 
action I for synchronization; there is also an unobservable label r, representing 
an internal synchronization. Here are some of the usual rules for CCS [26]: 







a.p 


a 

— yp 






(17) 


Pi 


a 

—^Pi 






a 

P2 ; 


'P 2 


(18) 


Pi \P2 


a 

—^Pi 


1 P2 


Pi 


1 ct 

1 P2 ; 


' Pi \P2 




1 

Pi — 


>Pl 


P2 - 


1 

—yp2 




(19) 




Pi 


1 P2 - 


T 1 

~^Pi 


P 2 





Also programming languages with constructs for concurrency, for instance Con- 
current ML [40,39], can be described using small-step SOS. Unfortunately, the 
SOS description proposed for ML with eoncurrency primitives in [2] is not in- 
ductive in the syntax of the language, and the need to reformulate inference 
rules previously given for the purely functional part of the language is again 
a sign of the poor inherent modularity of the SOS framework. Also the more 
conventional SOS deseriptions given in [12,16] have undesirably complex rules 
for the functional constructs. 

Syntactic Congruence: When using SOS to describe process calculi, it is common 
practice to exploit a syntactic congruence on phrases, i.e., the syntax becomes a 
set of equivalence elasses. For instance, the processes p\ \ p 2 and p 2 \ pi might be 
identified, removing the need for one of the symmetric rules given in (18) above. 

Evaluation to Committed Form: It is possible to deseribe the operational seman- 
tics of CCS and other concurrent calculi without labelling steps [35]. The idea is 
to give a big-step SOS for the evaluation of a process to its “committed forms” 
where the possible aetions are apparent (ef. reduction to “head normal form” in 
the lambda-calculus). For example: 

Pi ij- l-Pi P2 ij- 1-P2 Pi 1^2 ^ j-20) 

Pi \ P2 il-k 

The technique relies heavily on a syntactie congruence between processes. 
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Enhanced Operational Semantics: By labelling steps with their proofs, informa- 
tion about features such as causality and locality can be provided. This idea has 
been further developed and applied in the “enhanced” SOS style [9,38], where 
models taking account of different features of concurrent systems can be obtai- 
ned by applying relabelling functions (extracting the relevant details from the 
proofs). 

For a simple CCS-like process calculus, proofs may be constructed using 
tags |i, I2 to record the use of the rules that let processes act alone, and pairs 
(|i di, I2 O 2 ) to record synchronization. An auxiliary function I is used to extract 
actions from proofs. The following rules illustrate the form of judgements: 



e e 



Pi — ^ 


Pi 


P2 > 


P 2 


(21) 


1 M 

Pl\P2 ^ 


Pi 1 P2 Pi 


1 P2 > 


Pi \P2 


Pi >Pl 


82^ 

P2 >P2 


l{6i) 


= m 


(22) 




1 (|i6i,|202) 


1 





Pl\P2 ^ Pi I P 2 

Despite its somewhat intricate notation, enhanced operational semantics provi- 
des a welcome uniformity and modularity for models of concurrent systems. By 
using substitution, the need for explicit environments can be avoided — but if one 
wanted to add stores, it seems that a major reformulation of the inference rules 
for steps would still be required. Or could labels be used also to record changes 
to stored values? The next variety of SOS considered here suggests that they 
can indeed. 

Modular SOS: Recently, the author has proposed a solution to the SOS modu- 
larity problem [31,32]. In Modular SOS (MSOS) the transition rules for each 
construct are completely independent of the presence or absence of other con- 
structs. When one extends or changes the described language, the description 
can be extended or changed accordingly, without reformulation — even though 
new kinds of information processing may be required. 

The basic idea of MSOS is to incorporate all semantic entities as components 
of labels. Thus configurations are restricted to syntax and computed values, and 
judgements are always of the form 7 — ^ 7 . 

In fact the labels in MSOS are regarded as the arrows of a category, and the 
labels on adjacent steps have to be composable in that category. The labels are 
no longer the simple atomic actions often used in studies of process algebra, but 
usually have semantic entities — e.g. environments and stores — as components; 
so do the objects of the label category, which correspond to the states of the 
processed information. 

Some basic label transformers for defining appropriate categories (starting 
from the trivial category) are available; they correspond to some of the simpler 
monad transformers used to obtain modularity in denotational semantics. Each 
label transformer adds a fresh indexed component to labels, and provides nota- 
tion for setting and getting that component — independently of the presence or 




Logical Specification of Operational Semantics 



39 



absence of other components. By using variables a ranging over arbitrary la- 
bels, and i ranging over arbitrary identity labels that remain in the same state, 
rules can be expressed independently of the presence or absence of irrelevant 
components of labels. For example: 



a. 




ot 

if Cq then Ci else 62 — ^ if Cq then Ci else 62 



(23) 



if true then Ci else 62 — ^ Ci if false then Ci else 62 — ^ 62 ( 24 ) 

The above rules remain both valid and appropriate when the category of labels 
gets enriched with (e.g.) environment components, allowing the rules for binding 
constructs to be added: 



a. 




_ . q: _ 

let X = ei in 62 — ^ let x = m 62 



(25) 



p = get{a, env) a = set{a, env, p[x i— ^ u]) C 2 



let X = Vi in 62 



let X = V\ in Cn 



(26) 



let X = Vi in V2 — ^ V2 ( 27 ) 

p = get{i, env) p(x) = v 

X — ^ V 

The use of t rather than a above excludes the possibility of any change of state. 



Axiomatic Specifications: For proof-theoretic reasoning about SOS descriptions — 
especially when establishing bisimulation and other forms of equivalence — it is 
convenient that steps can only occur when proved by just the specified inference 
rules. For other purposes, however, it may be an advantage to reformulate the 
inference rules of SOS as ordinary conditional formulae, i.e., Horn clauses, and 
use the familiar inference rules for deduction, such as Modus Ponens. The close 
correspondence between inference rules and Horn clauses has been used in the 
implementation of big-step SOS by compilation to Prolog [17]. 

The axiomatic reformulation of SOS requires side-conditions on rules to be 
treated as ordinary conditions, along with judgements about possible steps. It 
has been adopted in the SMoLCS framework [1], which combines SOS with 
algebraic specifications. It has also been exploited in the modular SOS of action 
notation [34], where CAST, the Common Algebraic Specification Language [7], 
is used throughout (CAST allows the declaration of total and partial functions, 
relations, and subsorts, which is just what is needed in the side-conditions of 
SOS descriptions). 
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3 Varieties of Reduction Semantics 



Many of the inference rules specified in the structural approach to operational 
semantics merely express that execution steps of particular components give rise 
to execution steps of the enclosing phrases. The notion of reduction in term 
rewriting systems enjoys a similar property, except that there is a priori no 
restriction on the order in which component phrases are to be reduced. Thus 
for any term constructor /, the following inference rule may be specified for the 
reduction relation t — ^ t : 



f (f 1 , • • • , , • • • , fn ) t /(t 1 , . . . , , . . . , ) 



(29) 



The above rule is subsumed by the following somewhat more elegant rule, where 
C ranges over arbitrary one-hole term contexts, and G[t] is the term obtained 
by filling the unique hole in the context G with the term t: 



G[t]^G[t] 



(30) 



It is straightforward to define the arbitrary one-hole contexts for any ranked al- 
phabet of (constant and) function symbols; similarly for many-sorted and order- 
sorted signatures — introducing a different sort of context for each pair of argu- 
ment and result sorts. 

Several frameworks for operational semantics are based on variations of the 
basic notion of reduction, and are reviewed below. 



Reduction Strategies: The problem with using ordinary reduction to specify ope- 
rational semantics is the lack of control concerning the order of reduction steps: 
the entire sequence of reductions might be applied to a part of the program that 
in fact should not be executed at all. 

For instance, consider the A-expressions with constants, which may be regar- 
ded as a simple functional programming language: 

e ::= v \ ei 62 
V ::= h I / I a: I Ax.e 

where the basic constants b and function constants / are left unspecified. The 
execution steps for evaluating A-expressions are h-reductions, concerned with 
applications of the form / b, and /?-reductions: 

(Ax.e)(e ) — ^ [e /x]e (31) 

where the substitution of expressions e for variables x, written [e /x]e, is assu- 
med to avoid capture of free variables. An expression such as 



{Xy .b)({Xx .xx){Xx .xx)) 
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has both terminating and non-terminating reduction sequences: the one that ta- 
kes the leftmost, outermost /^-reduction corresponds to “call- by-name” seman- 
tics for A-expressions; that which always applies /^-reduction to {Xx.xx){Xx.xx) 
corresponds to “call-by-value” semantics. 

Standard reduction sequences are those which always make the leftmost ou- 
termost reduction at each step. For A-expressions, restricting reductions to stan- 
dard 6- and /?-reductions ensures call-by-name operational semantics. Remar- 
kably, also call-by-value semantics can be ensured by restricting to standard 
reductions — provided that the /^-reduction rule is itself restricted to the case 
where the argument of the application is already a value v [36,11]: 

(Ax.e)(u) — ^ \vjx\e (32) 

Standard reduction sequences with this restricted notion of /?-reduction corre- 
spond to an operational semantics for A-expressions defined by an SECD machine 
[36]. 

By adopting the restriction to standard reductions, it might be possible to 
give reduction semantics for other programming languages. However, the follo- 
wing technique not only subsumes this approach, but also has the advantage of 
admitting an explanation in terms of inference systems. 



Evaluation Contexts: An alternative way of controlling the applicability of re- 
ductions is to require them to occur in evaluation contexts [10]. It is convenient 
to specify evaluation contexts E in the same way as the abstract syntax of pro- 
grams, using context-free grammars. The symbol [ ] represents the hole of the 
context; the grammar must ensure that exactly one hole occurs in any evaluation 
context. 

The restriction to evaluation contexts corresponds to simply replacing the 
general context rule for reduction (30) above by: 



t 

m 




t 

W] 



(33) 



For example, to obtain the call-by-value semantics of A-expressions, let eva- 
luation contexts E be defined by the grammar: 



E ::= [] \ V E \ E e 

It is easy to see that when an expression is of the form E[ei 62 ], a standard 
reduction step can only reduce ei 62 or some sub-expression of it. Similarly, 
it appears that call-by-name semantics can be obtained by letting evaluation 
contexts be defined as follows: 



E ::= [] \ f E \ E e 



(where / ranges over function constants). 
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The following specification of evaluation contexts would be appropriate for 
the intended operational semantics of the illustrative language constructs consi- 
dered in Sect. 2 : 

E ::= [ ] I if i? then e\ else 62 | let x = E in 62 

(where the grammar for expressions e and values v is as before). Notiee the 
close correspondence between the productions of the above grammar and the 
previously-given small-step SOS rules (1) and (4). The above grammar is clearly 
more concise than the inference rules for expressing the allowed order of execu- 
tion; this economy of specification may account for at least some of the popularity 
of the evaluation context approach. 

Assuming that reductions are restricted to occur only in evaluation contexts, 
the following rules may now be given; 

if true then e\ else 62 — t e\ if false then ei else 62 — t 62 (34) 

let X = vi in 62 — t [ui/x]e 2 (35) 

where [u/x]e is substitution, as before. As the reader may have noticed, these 
are exactly the same as the small-step SOS rules ( 2 ) and (5). 

An alternative technique with evaluation contexts is to combine (30) above 
with the reduction rules themselves — now insisting that reductions are always 
applied to the entire program. With the same definition of evaluation contexts, 
the above reduction rules would then be written: 



E[if true then ei else 62 ] — t E[ei] 


(36) 


E[if false then ei else 62 ] — t E[e 2 ] 


(37) 


A’[let X = Vi in 62 ] — t A[[ui/x]e 2 ] 


(38) 



This seemingly innocent reformulation in fact provides a significant new possi- 
bility, which is perhaps the forte of the evaluation context approach: reductions 
may depend on and/or change the structure of the context itself. For example, 
we may easily add a construct that is intended to stop the execution of the entire 
program, and specify the reduction: 

£^[stop] — t stop (39) 

To specify the same semantics in small-step semantics would require giving an 
explicit basic rule for the propagation of stop out of each evaluation context 
construct: 

if stop then ei else 62 — ^ stop (40) 

let X = stop in 62 — t stop (41) 

In a big-step semantics, one would have to provide extra inference rules, e.g.: 

Co Jj- stop 



if Co then e\ else 62 Jj- stop 



(42) 
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Moreover, evaluation contexts can be used to specify the operational semantics 
of advanced control constructs, such as those manipulating continuations [11]. 
Although it may be possible to specify continuations in SOS, the appropriateness 
of the use of evaluation contexts here cannot be denied. 

An evaluation context may contain more than just the syntactic control con- 
text: for instance, it may also contain a store, recording the values assigned to 
variables. A store s is represented syntactically as a sequence of pairs of lo- 
cations I and values v, with no location occurring more than once. It is quite 
straightforward to give reduction rules for variable allocation, assignment, and 
dereferencing [4]: 

s E[zef v] — ^ s, (/,u) E[l] if I is not used in s (43) 

s, (/,u),s E[l—v] — ys,{l,v),s A[( )] (44) 

s,(/,u),s E[l] — >s,{l,v),s E[v] (45) 

The previously given rules for functional constructs using explicit evaluation 
contexts (e.g. (36)) remain valid, so the modularity of the approach appears to 
be good — also when adding concurrency primitives to a functional language, as 
illustrated in [39,40]. However, it appears that it would not be so straightforward 
to add explicit environments to evaluation contexts, and the reliance on syntactic 
substitution may complicate the description of languages with “dynamic” scope 
rules. 

One significant potential problem when using evaluation contexts for mo- 
delling the operational semantics of concurrent languages is how to define and 
prove equivalence of processes. In particular cases “barbed” bisimulation can be 
defined [27,41]; also, a rather general technique for extracting labelled transition 
systems (and hence bisimulations) from evaluation context semantics has been 
proposed [42]. 

Rewriting Logic: The framework of Rewriting Logic (RL) [21] generalizes con- 
ventional term rewriting in two main directions: 

— rewriting may be modulo a set of equations between terms (i.e., it applies to 
arbitrary equationally-specified data structures); and 

— rewriting may be concurrent (i.e., non-overlapping sub-terms may be rewrit- 
ten simultaneously). 

Moreover, no assumptions about confluence or termination are made: the rules 
are understood not as equations, but as transitions. 

The inference rules for RL are as follows, where rewriting from between 
equivalence classes of terms is written [t] — ^ [t ] . Rewriting is taken to be 
reflexive: 

[t] [t] (46) 

which allows one or more of the arguments to remain the same in concurrent 
rewriting: 

[fi] ^ [fi] ... [f„] ^ [tj 

[/(fi,...,f„)] — ^ 



(47) 
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The following inference rule combines replacement of variables by 

terms fi, . . . , in a specified rule r : . . . , Xm)] — ^ [t (a^i, . . . , Xm)] with 

the possibility of rewriting the terms in the same step: 



h] [ii] 



[tr, 



[tr, 



[^(^1 /^1 ? • • • ? fn /^n)] ^ [f (f 1 /^1 ? • • • ? /^n)] 



(48) 



Finally, rewriting is taken to be transitive: 



[fi] — ^ [^2] [^2] — ^ [h] 



[ii 



[h] 



(49) 



Specified rewriting rules are also allowed to be conditional, which requires a 
further inference rule for discharging conditions. 

RL has been used as a unifying model for concurrency [23] and as a logical 
framework [20]. It has also been proposed as a semantic framework, as an al- 
ternative to frameworks such as SOS [20]. RL has been efficiently implemented 
in the Maude system [5], which makes its use as a semantic framework parti- 
cularly attractive in connection with the possibilities for prototyping semantic 
descriptions (see Sect. 4). 

Two techniques for expressing SOS descriptions in RL have been proposed 
[20]. The first is a special case of a general technique for representing sequent 
systems in unconditional RL, with the rewriting relation corresponding to pro- 
vability; the second is more specific to SOS, and uses conditional rewriting rules. 
Let us illustrate both techniques with the same example: the SOS rules (17)-(19) 
for concurrency in CCS (Sect. 2). 

To start with, term constructors for the abstract syntax of processes and 
labels are needed; we shall only make use of the binary process constructor p \ p , 
which is now specified to be both associative and commutative (corresponding 
to a syntactic congruence in SOS). 

For the first technique, we also introduce a term constructor S{p,a,p ) re- 
presenting the assertion of an SOS step from process p to process p with label 
a; and an infix term constructor S 1 &S 2 representing the conjunction of such 
assertions, specified to be associative, commutative, with unit T. 

The SOS rules are then expressed in RL as follows: 



[-L] — > [S{a.p,a,p)] (50) 

[S'(pi,o;,Pi)] — >[S{pi |p2,a,Pi \P2)] (51) 

[S{pi,l,p^)kS{p2,l,P2)] — ^ [S{pi \p2,r,p^ IP 2 )] (52) 

The relationship between the SOS steps and the rewriting relation is that p 
p in the SOS iff [_L] — ^ [S{p,cx,p)] is provable in RL. Note that the rewrit- 
ing relation is highly non-deterministic, and in practice a goal-directed strategy 
would be needed in order to use the Maude implementation of RL for proving 
[J-] — ^ [S{p,a,p )] for some particular process p. 
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For the second technique, we introduce only a term constructor a;p that 
combines the label a with the process p, representing the “result” of some SOS 
step. The result sort of a;p is regarded as a supersort of the sort of processes, 
and rewriting is always of the form [p] — ^ i.e. it is sort- increasing. The 

SOS rules are then expressed in RL as follows: 

[a.p] — >[a;p] (53) 

[Pi I P2] — ^ [a; Pi I P2] if bi] — ^ [a; Pi] (54) 

[Pi] I P 2 ] — t [r;pi I P 2 ] if [Pi] — ^ bPi] A [^ 2 ] — t [l;p 2 \ (55) 

The relationship between the SOS steps and the rewriting relation is now that 
given a process p, there are processes pi, . . . ,Pn-i and labels oi, . . . , o;„ such 
that p Pi .Pn-i P in SOS iff [p] — ^ [oi; . . . ; anpp ] in RL. 

Tile Logic: Although Tile Logic (TL) is listed here together with other frame- 
works for reduction semantics, due to its close relationship with Rewriting Logic 
(translations both ways between the two frameworks have been provided [25,3]), 
it could just as well have been classified as a structural framework. In fact it is 
a development of so-called context systems [19] where steps are specified much 
as in SOS, except that phrases may be contexts with multiple holes, and the 
actions that label the steps (the effects) may depend on actions to be provided 
by the holes (the triggers). A context may be thought of as an m-tuple of terms 
in n variables; there are operations, familiar from Lawvere’s algebraic theories, 
for composing contexts sequentially (plugging the terms of one context into the 
holes of another) and in parallel (concatenating tuples of terms over the same 
variables), together with units and projections. 

In TL, steps may affect the interfaces of contexts, and the steps themselves 
have a rich algebraic structure; see [13,14] for the details. Here we shall merely 
introduce the notation of TL, and illustrate its use to express the operational 
semantics of a familiar fragment of CCS. 

a 

The conventional algebraic notation for a tile is s t (ignoring the label of 
the tile, for simplicity), where s — ^ t is a context rewrite step, a is the trigger of 
the step, and b is its effect. The tile requires that the variables of s are rewritten 
with a cumulative effect a. 

For appropriate arguments, sequential composition of contexts is written s; t, 
with unit id, and parallel composition is written as s(i>t. Duplicators are written 
V, and dischargers (or sinks) as ! (permuters are also provided). The operations 
satisfy all the axioms that one might expect. 

Two tiles can be composed in parallel (using ®), vertically (using •), or hori- 
zontally (using *), provided that their components have the appropriate types. 

Finally, here are the tiles for some CCS constructs (where the variables xi, 
X2 are actually redundant, and are usually omitted): 

id 



a.x\ 



(56) 
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The above rule may be read operationally as: the context prefixes the hole Xi 
with the action a, and may become just the hole, emitting a as effect, without 
any trigger. 



Xi 


cx^id 
1 ^2 ^ 


1 X2 


( 57 ) 


Xi 


id0a 
\^2 ^ 


1 X2 


( 58 ) 


Xi 


q:(8)q: 

\X2 ^ Xi\ 


X2 


( 59 ) 



Of course, this simple kind of SOS example does not nearly exploit the full 
generality of the Tile Logic framework, which encompasses graph rewriting as 
well as rewriting logic and context systems. 

4 Prototyping 

The Maude implementation of Rewriting Logic (RL) [5] has several features 
that make it particularly attractive to use for prototyping operational semantics 
of programming languages. For instance, it provides meta-level functions for 
parsing, controlled rewriting, and pretty-printing; moreover, the Maude rewriting 
engine is highly efficient. Maude also supports Membership Algebra [24], which 
is an expressive framework for order-sorted algebraic specification. 

Together with Christiano Braga at SRI International, the author has recently 
been developing a representation of Modular SOS (MSOS) [31,32] in RL and 
implementing it in Maude; this involved first extending Maude with a new kind 
of conditional rule, using the Maude meta-level. (Presently, MSOS rules are 
translated manually to Maude rules, but later the translation is itself to be 
implemented using Maude meta-level facilities.) 

The translation process transforms an MSOS specification into an SOS-like 
one [32]. MSOS rules are translated into Maude rules over configurations that 
have a syntactic and a semantic component. Label formulae are translated into 
equations dealing with the associated states. The MSOS of Action Notation 
[34] is being prototyped this way — when completely implemented, together with 
further meta-level functions for processing descriptions formulated in Action Se- 
mantics [29,30], it should enable the prototyping of action-semantic descriptions 
of programming languages. 

5 Conclusion 

It is hoped that this survey of frameworks for the logical specification of opera- 
tional semantics has provided a useful overview of much of the work in this area 
(apologies to those whose favourite frameworks have been omitted). It would be 
unwise to try to draw any definite conclusions on the basis of the remarks made 
here about the various frameworks: both the SOS and the reduction semantics 
approaches have their strengths, and are currently active areas of research — as 
is Tile Logic, which is strongly related to the structural approach, as well as to 
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Rewriting Logic. However, it is clear that logic has been found to be a particu- 
larly useful tool for specifying operational semantics, and appears to be preferred 
in practice to approaches based on abstract machines and interpreters. 
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Abstract. Broadcast protocols are systems composed of a finite but ar- 
bitrarily large number of processes that communicate by rendezvous (two 
processes exchange a message) or by broadcast (a process sends a mes- 
sage to all other processes). The paper describes an optimized algorithm 
for the automatic verihcation of safety properties in broadcast proto- 
cols. The algorithm checks whether a property holds for any number of 
processes. 



1 Introduction 

Broadcast protocols [EN98] are systems composed of a finite but arbitrarily large 
number of processes that communicate by rendezvous (two processes exchange 
a message) or by broadcast (a process sends a message to all other processes). 
They are a natural model for problems involving readers and writers, such as 
cache-coherence problems. 

From a mathematical point of view, broadcast protocols can be regarded as 
an extension of vector addition systems or Petri nets. Their operational seman- 
tics is a transition system whose states are tuples of integers. Moves between 
transitions are determined by a finite set of affine transformations with guards. 
Vector Addition Systems correspond to the particular case in which the matrix 
of the affine transformation is the identity matrix. 

In [EFM99], Esparza, Finkel and Mayr show that the problem of deciding 
whether a broadcast protocol satisfies a safety property can be reduced to a 
special reachability problem, and using results by Abdulla et aL, [ACJ+96] (see 
also [FS98]), they prove that this problem is decidable. They propose an ab- 
stract algorithm working on infinite sets of states. The algorithm starts with the 
set of states to be reached, and repeatedly adds to it the set of its immediate 
predecessors until a fixpoint is reached. 

As shown e.g. in [Kin99,DP99], linear arithmetic constraints can be used to 
finitely represent infinite sets of states in integer valued systems. Symbolic model 
checking algorithms can be defined using the ‘satisfiability’ and the ‘entailment’ 
test to symbolically compute the transitive closure of the predecessor relation 
defined over sets of states. However, in order to obtain an efficient algorithm it 
is crucial to choose the right format for the constraints. 
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@ Springer- Verlag Berlin Heidelberg 1999 




Constraint-Based Analysis of Broadcast Protocols 



51 



In this paper we discuss different classes of constraints, and propose linear 
constraints with disjoint variables as a very suitable class for broadcast proto- 
cols. We show that the operations of computing the immediate predecessors and 
checking if the fixpoint has been reached can both be efficiently implemented. 
We also propose a compact data structure for these constraints. 

We have implemented a specialized checker based on our ideas, and used 
it to define a symbolic model checking procedure for broadcast protocols. As 
expected, the solver leads to a significant speed-up with respect to procedures 
using general purpose constraint solvers (HyTech [HHW97] and Bultan, Gerber 
and Pugh’s model checker based on the Omega library [BGP97]). We present 
some experimental results for both broadcast protocols and weighted Petri Nets. 

2 Broadcast Protocols: Syntax and Semantics 

2.1 Syntrix 

A broadcast protocol is a triple (S', L, R) where 

— S is a finite set of states. 

— L is a set of labels, composed of a set A; of local labels, two sets AV {?} £^nd 
AV X {!} of input and output rendez-vous labels, and two sets Ui, x {??} and 
Afc X {!!} of input and output broadcast \abe\s, where A;, Ar,Ab are disjoint 
finite sets. The elements of A’ = Ui U AV U AV are called actions. 

— RCSxLxS is a set of transitions satisfying the following property: for 
every a G AV and every state s G S, there exists a state s' G S such that 
s s'. Intuitively, this condition guarantees that a process is always willing 
to receive a broadcasted message. 

We denote (s, /, s) G i? by s -G s'. The letters a,b,c, . . . denote actions. Ren- 
dezvous and broadcast labels like (a,?) or (h, !!) are shortened to a? and 6!!. We 
restrict our attention to broadcast protocols satisfying the following additional 
conditions: (i) for each state s and each broadcast label a?? there is exactly one 
state s' such that s s' (determinism); (ii) each label of the form a, a\, al 
and a\\ appears in exactly one transition. 

Consider the following example: 



unlock?? 
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The finite-state automata in the figure models the behaviour of a system of 
identical processes that race for using a shared resource. Initially, all processes 
are in the state think. Before accessing its own critical section, a process bro- 
adcasts the request lock! I. In reply to the broadcast (lock??) the remaining 
processes are forced to move to the state wait (an abstraction of a queue). After 
using the resource, the process in the critical section broadcasts the message 
unlock I I in order to restore the initial configuration. The key point here is that 
the description of the protocol is independent of the number of processes in the 
network. 

2.2 Semantics 

Let B = (S', T, R) be a broadcast protocol, and let S = {si, . . . , s„}. A configu- 
ration is a vector c = {ci, , c„) where denotes the number of processes in 
state Si for i : 1, . . . , n. 

Moves between configurations are either local (a process moves in isolation 
to a new state), rendezvous (two processes exchange a message and move to 
new states), or broadcasts (a process sends a message to all other processes; all 
processes move to new states). Formally, the possible moves are the smallest 
subset of iV” X B X iV” satisfying the three conditions below, where Ui denotes 
the configuration such that ufisfi) = 1 and ufisj) = 0 for j i, and where c A- c' 
denotes (c,a,c') € R. 

— If Si -A Sj, then c A c' for every c, c' such that c(si) > 1 and c' = c— Ui + Uj . 
I.e. one process is removed from Si, and one process is added to Sj. 

— If Si Sj and Sk A si, then c A c! for every c, c! such that c(si) > 1, 
c(sa;) > 1 and c' = c — Ui — ua; + Uj + u;. 

I.e. one process is removed from Si and s^, and one process is added to Sj 
and s;. 

— If Si Sj, then c A c' for every c, c' such that c(si) > 1 and c' can be 
computed from c in the following three steps: 

Ci=C-Ui (1) 

C2{Sk) = Ci(S() (2) 

{■SI |si ^^Sk} 

c' = C 2 + Uj (3) 

I.e. the sending process leaves Si (1), all other processes receive the broadcast 
and move to their destinations (2), and the sending process reaches Sj (3). 

Thanks to the conditions (i) and (if) of Section 2.1, the configuration c' is 
completely determined by c and the action a. 

We denote by A the pointwise order between configurations, i.e. c A c' if 
and only if c(si) < c'^sfi for every i : 1, . . . ,n. A parameterized configuration is 
a partial function p: S' — t iA. Loosely speaking, p(s) = T denotes that the num- 
ber of processes on state s is arbitrary. Formally, a parameterised configuration 
denotes a set of configurations, namely those extending p to a total function. 
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2.3 Checking Safety Properties 

In this paper we study the reachability problem for broadcast protocols, defined 
as follows: 

Given a broadcast protocol B, a parameterized initial configuration po 
and a set of configurations C, can a configuration c G (7 be reached from 
one of the configurations of po? 

In [EFM99] this problem is shown to be decidable for upwards-closed sets C} 
A set C is upwards- closed if c G C and c' A c implies c' G C. The mutual exclu- 
sion property of the example in the introduction can be checked by showing that 
no configuration satisfying Use > 2 (an upwards-closed set) is reachable from an 
initial configuration satisfying Wait = 0, Use = 0. It is shown in [EFM99] that 
the model-checking problem for safety properties can be reduced to the reacha- 
bility problem for upwards-closed sets. (Here we follow the automata-theoretic 
approach to model-checking [VW86], in which a safety property is modelled as 
a regular set of dangerous sequences of actions the protocol should not engage 
in. 

The algorithm of [EFM99] for the reachability problem in the upwards-closed 
case is an “instantiation” of a general backwards reachability algorithm presented 
in [ACJ+96] (see also [FS98]). Define the predecessor operator as follows: 

pre[C) = {c I c — ^ c', c' G Cj. 

I.e., pr-e takes a set of configurations Co, and delivers its set of immediate pre- 
decessors. The algorithm repeatedly applies the predecessor operator until a 
fixpoint is reached, corresponding to the set of all predecessors of Cq. If this set 
contains some initial configurations, then Cq is reachable. 

Proc Reach(Co : upwards-closed set of configurations) 

C := Co; 

repeat 

oldJJ := C; 

C := oldJJ U presold JJ); 

until C = oldJJ] 

return C 

The algorithm works because of the following properties: (i) if C is upwards- 
closed, then so is pre(C); [ii) the set of minimal elements of an upwards-closed 
set with respect to the pointwise order is finite (see also Section 4); [Hi) the 
repeat loop terminates. To prove property (i), we observe that we can associate 
to each label a G C [EFM99] : 

— The set of configurations OcCg, from which a can occur. 

In the case of local moves and broadcasts there is a state Si such that Ccc„ = 
{c I c(si) > 1}. In the case of rendezvous there are states Si,Sj such that 
Occa = {c I c(si) > 1 and c{sj) >1}. 

On the other hand, the problem is undecidable for singleton sets!. 



1 
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— An affine transformation Ta(x) = • x + such that if c A c' , then 

c' = TAc). 

Ma is a matrix whose columns are unit vectors, and b is a vector of integers. 
(Actually, the components of b belong to {— 1,0, !}, but our results can be 
extended without changes to the case in which they are arbitrary integer 
numbers. An example is discussed in Section 8.) 

It follows that pre(G) can be computed by the equation 

pre{C)= \J{Occ,nT^\C)) (4) 

Hence if C is upwards-closed then so is pre[C). Properties [ii) and [Hi) are an 
immediate consequence of the well-known 

Lemma 1 (Dickson’s Lemma). Let Vi,V 2 , . . . he an infinite sequence of ele- 
ments of IN^ . There exists i < j such tha,t Vj A Vj (pointwise order). 

The only known upper-bound for the number of iterations until termination 
is non-primitive recursive [McA84]. However, despite this result, the algorithm 
can still be applied to small but interesting examples. 

3 Symbolic Representation via Constraints 

A linear arithmetic constraint (or constraint for short) is a (finite) first-order 
formula A. . . with free variables (implicitly existentially quantified), and 
such that each is an atomic formula (constraint) built over the predicates 
= E^iid over arithmetic expressions (without multiplication between 

variables) built over A,—,*, 0,1, etc. 

The solutions (assignments of values to the free variables that make the 
formula true) of a constraint f over the domain I> are denoted by {fJ'D- In the 
sequel we always take T> = Z, and abbreviate to [<(>]. We often represent 

the disjunction of constraints V . . . V <(>„ as the set {fi, . . . , fin}- 

Constraints can be used to symbolically represent sets of configurations of a 
broadcast protocol. Given a protocol with states {si, . . . , s„}, let x = xi, . . . 
be a vector of variables, where Xi is intended to stand for the number of processes 
currently in state Sj. We assume that variables range over positive values (i.e., 
each variable Xi comes with an implicit constraint > 0). A configuration c = 
(ci, . . . , Cn) is simply represented as the constraint AILi = G- A parametric 
configuration p = {pi, . . . ,p„) is represented as the constraint fi where: if 
Pi £ JN then fii is the atomic constraint Xi = Ci, and if pi = _L then fi is the 
atomic constraint Xi > 0. 

As an example, the flow of processes caused by the lock broadcast in the 
protocol of the introduction is described by the inequality below (where, for 
clarity, we use Think, Wait, Use instead of xi,X 2 ,X 3 and we omit the equalities 
of the form x[ = xfi. 

Think > 1 A Think' = 0 A Wait' = Think + Wait — 1 A Use = Use + 1 
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Let C be a class of constraints denoting exactly the upwards-closed sets, i.e., 
if a set S is upwards-closed then there is a set of constraints <P C C such that 
[#] = S, and viceversa. We can use any such class C to derive a symbolic version 
Symb-Reachc of the procedure Reach: 

Proc Symb-Reach(j(^>o : set of constraints of C) 

<P :=<f>o; 
repeat 
oldjl> ■= d*; 

<P ■= otdjp U pre(^[old_'P); 
until Entailc(^’, oldjp); 

return # 

where (a) C is closed under application of pre^, (b) |[pre^(#)| = and 

(c) Entailc{4>,^) = true if and only if C [ifrj. 

Condition (b) on pre^^ can be reformulated in syntactic terms. Let be a set 
of constraints, and for each action a let be a constraint such that [Ga] = OcCa 
(we call Ga the guard of the action a). We have = |^>[x/Ta(x)]]. By 

equation (4) we obtain 

prec(<l>) = \J Ga A <A[x/Ta(x)] (5) 

where = denotes logical equivalence of constraints. 

In the next sections we investigate which classes of constraints are suitable 
for Symb-Reach( 3 . We consider only classes C denoting exactly the upwards- 
closed sets. In this way, the termination of Symb-Reach^^ follows directly from 
the termination of Reach, under the proviso that there exist procedures for 
computing pre(^(^>) and for deciding Entailc(^’, !^). 

The suitability of a class C is measured with respect to the following para- 
meters: 

(1) The computational complexity of deciding Entailc(^, lE). 

(2) The size of the set pre(^(#) as a function of the size of #. 

A note about terminology. Given two sets of constraints W, we refer to the 
containment problem as the decision problem Entail(^>, iT) = true for two sets 
of constraints #, if', whereas we refer to the entailment problem as the decision 
problem Entail({0}, {'(/’}) = true for constraints 4> and 'ip. 

4 NA-Constraints: No Addition 

A NA-constraint is a conjunction of atomic constraints of the form Xi > k, where 
Xi G {xi, . . . , Xn} and A; is a positive integer. 

The class of NA-constraints denotes exactly the upwards closed sets. If is a 
set of NA-constraints then |^>] is clearly upwards-closed. Eor the other direction, 
observe first that an upwards-closed set G is completely characterised by its set of 
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minimal elements M , where minimality is taken with respect the pointwise order 
-<• More precisely, we have C = UmGM where Up[m) = {c | c ^ m}. 

The set M is finite by Dickson’s lemma, and 17p(m) can be represented by the 
constraint Xi > m(si) A . . . A > m(s„). So the set C can be represented by 
a set of NA-constraints. 



4.1 Complexity of the Containment Problem in NA 

The containment problem can be solved in polynomial time. In fact, the following 
properties hold. Let <P, 4^ be sets of NA-constraints. Then, 

— entails 4/ if and only if for every constraint 4> £ <4’ there is a constraint 
%l7 such that (f) entails 'ip. 

— AiLi entails AILi h if and only if A > li for i : 1, . . . , m. 

Thus, the worst-case complexity of the test entails 4^^ is 0(|4*| * \4^\ *n), where 
n is the number of variables in <4 and !T. 



4.2 Size of the Set preNA.(^) 

Let ^ be a set of NA-constraints. By equation (5), preNA(^) must be equivalent 
to the set VaGi; ^g# Unfortunately, we cannot choose preNA(^) 

equal to this set, because it may contain constraints of the form xq + . . . + Xi^ > 
k. However, when evaluating variables on positive integers, a constraint of the 
form Xq + . . . + x^^ > A; is equivalent to the following set (disjunction) of NA- 
constraints: 

V a^q > fci A . . . A Xi^ > 

{ki,...,km) 

where each tuple of positive integers (fci, . . . , k^) represents an ordered partition 
of k, i.e. fci + . . . + kjn = k. (Moreover, it is easy to see that this is the smallest 
representation of xq +. . .+Xi^ > k with NA-constraints.) We define the operator 
preNA as the result of decomposing all constraints with additions of (5) into NA- 
constraints. 

The cardinality of preNA(^) depends on the number of ordered partitions of 
the constants appearing in constraints with additions. For xi + . . . + Xm > k, this 
number, denoted by p{rn, k), is equal to the number of subsets of {1, 2, . . . , A; + 
m — 1} containing m — 1 elements, i.e.. 



p{m, k) 



k m — I 
n — 1 



A; + m — 1 
k 



If c is the biggest constant occurring in constraints of <P, and n, a are the 
number of states and actions of the broadcast protocol, we get |preNA(^)| € 
0(|4>| * a !i< p(n, c)). This makes NA-constraints inadequate for cases in which the 
constants c « n, initially or during the iteration of algorithm Symb-Reachqq. In 
this case we get p(n, c) « which leads to an exponential blow-up. 
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4.3 Conclusion 

NA-constraints have an efficient entailment algorithm, but they are inadequate 
as data structure for Symb-Reach. Whenever the constants in the constraints 
reach values similar to the number of states, the number of constraints grows 
exponentially. 

The blow-up is due to the decomposition of constraints with additions into 
NA-constraints. In the following section we investigate whether constraints with 
additions are a better data structure. 

5 AD-Constraints: With Addition 

An AD-constraint is a conjunction of atomic constraints xq + ... + Xi^ > k 
where xq, . . . ,x^^ are distinct variables of {xi, . . . ,x„}, and A; is a positive in- 
teger. A constraint in AD can be characterized as the system of inequalities 
A • X > b where A is a 0-1 matrix. 

It is easy to see that AD-constraints denote exactly the upwards-closed 
sets. Since AD-constraints are equivalent to disjunctions of NA-constraints, they 
only denote upwards-closed sets, and since they are more general than NA- 
constraints, they denote them all. 

5.1 Complexity of the Containment Problem in AD 

The following result shows that even the entailment test between two AD- 
constraints is difficult to decide. 

Proposition 1 (Entailment in AD is co-NP complete). Given two AD- 
constraints 4> and 'tjj, the problem ‘4> entails 'tp ’ is co-NP complete. 

Proof. By reduction from HITTING SET [GJ78]. An instance of HITTING SET 
consists of a finite set S = {si, . . . , s„}, a finite family S\, . . . , of subsets of 
S, and a constant k < n. The problem is to find 1' C S' of cardinality at most k 
that hits all the Sq i.e., such that Si D T ^ 0. 

Take a collection of variables X = {xq . . . ,x„}. Let 0 be a conjunction of 
atomic constraints 4>i, one for each set Sq given by: If Si = {sq , . . . , }, then 

(pi = Xi^ + . . . + Xi^, > 1. Let 'tp = xi + . . . + Xn> k + 1. 

If (p does not entail tp, then there is a valuation V: X ^ JN that satisfies <p 
but not 'tp. Let T be the set given by: Si € T if and only V [xf) > 0. Since V 
satisfies (p, T is a hitting set. Since V does not satisfy tp, it contains at most k 
elements. 

If T is a hitting set with at most k elements, then the valuation V: X ^ IN 
given by V (xi) = 1 if € T, and 0 otherwise, satisfies <p but not 'tp. 

This implies that entailment of AD-constraints is co-NP-hard. Gompleteness 
follows by noting that the containment problem for sets of linear arithmetics 
constraints is co-NP complete [Sri92]. □ 

The following corollary immediately follows. 
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CorollEiry 1 (Containment in AD is co-NP complete). Given two sets of 
KD- constraints (p and ]P, the problem, ‘<P entails W’ is co-NP complete. 

5.2 Size of the Set preAD(^) 

We can define 

preAo(^^) = V Ga A (>[x/Ta(x)] 

since the right hand side is a set of AD-constraints whenever <P is. If a is the 
number of actions of the broadcast protocol, then |preAD(^)| ^ ^(1^1 * ®)- 

5.3 Conclusion 

AD-constraints are not a good data structure for Symb-Reach either, due to the 
high computational cost of checking containment and entailment. This result 
suggests to look for a class of constraints between NA and AD. 

6 DV-Constraints: With Distinct Variables 

DV-constraints are AD-constraints of the form 

xgi + . . . + Xi^m > ki A ... A “h • • • “h r^rr.>k m 7 

where ^ and xp are distinct variables (DV) for all In other words, 

a DV-constraint can be represented as A • x > b where A is a 0-1 matrix with 
unit vectors as columns. 

Since DV-constraints are more general than NA-constraints, but a particular 
case of AD-constraints, they denote exactly the upwards-closed sets. 

6.1 Complexity of the Containment Problem in DV 

Entailment between sets of DV-constraints can still be very expensive, as shown 
by the following result. 

Proposition 2 (Containment in DV is co-NP complete). Given two sets 
of DW -constraints <P and P, the problem ‘<P entails P’ is co-NP complete. 

Proof. By reduction from INDEPENDENT SET [GJ78]. An instance of INDE- 
PENDENT SET consists of a finite graph G = {V,E) and a constant k < \V\. 
The problem is to find / C V of cardinality at most k such that for every u,v £ I 
there is no edge between u and v. 

Assume V = {wi, . . . ,w„}. Take a collection of variables X = {xi, . . . ,x„}. 
The set <P contains a constraint x^ < 1 for i : 1 . . .n, and Xi + Xj < 1 for every 
edge G E. The set is the singleton {'tp}, where -i/’ = a^i + - • -px^ > kp\. 

If <P does not entail tp, then there is a valuation V: X ^ JN that satisfies <P 
but not 'ip. Let I be the set given by: G / if and only V[xi) > 0. Since V 
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satisfies <P, I is an independent set. Since V does not satisfy it contains at 
most k elements. 

If I is an independent set with at most k elements, then the valuation V: X ^ 
IN given by V (xj) = 1 if Sj € i, and 0 otherwise, satisfies 4> but not 'ip. □ 

However, and differently from the AD-case, checking entailment between two 
AD-constraints can be done in polynomial time. Let V ar[(f>) denote the set of 
free variables occurring in the constraint p, and let Cons[-j) denote the constant 
occurring in the atomic constraint j. We have the following result: 

Proposition 3. Let 4> and 7 be an arbitrary and an atomic DW -constraint, 
respectively. Let A be the largest set of atomic constraints 6 in f such tha,t 
VarfS) C Varf-j). Then, f entails^ if and only if Xs(z^Cons[S) > Cons[^(). 

Proof. (=k): Assume XseAConsi^S) < Cons[-j). Then, any valuation that assigns 
Cons(S) to one variable in 6 and 0 to the others, and 0 to the remaining variables 
of Varf-j), satisfies 4> but not 7 . 

(«i=): Clearly 4> entails A. Since is a DV-constraint, A entails the constraint 
Y^xieVar{S)^i ^ XseACons{S). Since VarfS) C Var( 7 ) and J2seA ^'ons{6) > 
Cons[j), it also entails Xla; e Var( 7 ) — Gonsi^j), which is the constraint 7 . □ 

For instance, we have that xi + X 2 > a A X 3 > fe entails xi + X 2 + X 3 + X 4 > c if 
and only if a + fe > c. 

Since 4> entails ip if and only if f entails each atomic constraint of ip, we get 
the following 

Corollriry 2 (Entailment in DV is in P). Given two DW -constraints <p and 
Ip, it can be checked in polynomial time whether <p entails 'ip. 

Since the symbolic procedure for the reachability problem requires to check 
containment, and not entailment. Corollary 2 does not seem to be of much use at 
first sight. However, it allows to define a new reachability procedure by replacing 
the Entailc(^, oldjL) test in Symb-Reach by the local containment test: 

forall (p <E 'P exists ip € oldjp 

Clearly, the local containment test implies the containment test, and so the new 
procedure is partially correct. The risk of weakening the fixpoint test is that we 
may end up with a non-terminating algorithm. Fortunately, this turns out not 
to be the case, as shown by the following proposition. 

Proposition 4. The procedure Symb-Reachi^y terminates. 

Proof. Let X be a set of variables. Given Y C X, let T >k denote the constraint 

Let (phe a DV-constraint on X. We define the function f,j, which assigns to 
V C X a natural number as follows: 

,. ( k if (p contains the constraint Y > k 

' (0 otherwise 
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Observe that is well defined because is a DV-constraint. Define the pointwise 
ordering A on these functions, given by A if f^{Y) < /y(D) for every 
subset Y of X . We prove that the local containment test corresponds exactly 
to the pointwise ordering. I.e., for DV-constraints, (f) entails ip if and only if 

u{Y)>u{y)- 

^ If > /p) then 4> entails ij. 

Let Y > A; be an atomic constraint of 'ip. It follows from f^{Y) > f‘,p{Y) that 
4> contains a constraint Y > k' such that k' > k. So every solution of is a 
solution of y > A;. 

— If 4> entails ip, then 

We prove the contraposition. Let Y C X such that /^(L) < /^(L). Then p 
contains a constraint Y > k, and p contains a constraint Y > k' such that 
k' < k (if p contains no constraint Y > k' we can assume that it contains 
the constraint Y > 0). Since is a DV-constraint, it has a solution Xq such 
that Vo = k' . So Xq does not satisfy Y > k, and so p does not entail p. 

Assume now that Symb-Reach^y does not terminate. Then, the i-th iteration of 
the repeat loop generates at least one constraint pi such that pi does not entail 
pj for any i > j. By the result above, the sequence of functions f,j,. satisfies 
f<f>i pi fip' for any * > j- This contradicts Dickson’s lemma (consider a function 

as a vector of iV ) . □ 

6.2 Size of the Set pre£>v(^) 

If is a set of DV-constraints, then the set of constraints (5) may contain 
AD-constraints with shared variables. However, each constraint in set (5) is 
either a DV-constraint or has one of the two following forms: p A Xi > 1 or 
pAXi>fAXj>f, where is a DV-constraint with at most one occurrence of 
Xi and Xj. The constraints of the form > 1 correspond to the ‘guards’ of the 
transition rules of the protocol. Thus, in order to maintain constraints in DV- 
form, all we have to do is to merge the ‘guards’ and the remaining DV-constraint 
(i.e. p). The operator prejjv is defined as the result of applying the following 
normalization: Given a constraint x>l A x + j/i + ... + j/™ > k Ap where, by 
hypothesis, x does not occur in p, replace it by the equivalent set of constraints 



k-l 

\J {x> k-i A Z/i + - - - + z/m > ^ A 0) . 

^=0 

In the worst case, it is necessary to reduce each new constraint with respect to 
two guards, possibly generating 0{kP) new constraints. Thus, if a is the number 
of actions of the protocol and c is the maximum constant occurring in the set <P 
of DV-constraints, we have |prejjv(^)| € 0[\<P\ =i< a =i< c^). 
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6.3 Conclusion 

DV-constraints are a good compromise between AD and NA-constraints. The 
application of preov does not cause an exponential blow up as in the case of 
NA-constraints. Furthermore, though the containment test is co-NP complete, it 
can be relaxed to an entailment of low polynomial complexity, unlike the case of 
AD-constraints. Moreover, as shown in the next section, sets of DV-constraints 
can be compactly represented. 



7 Efficient Representation of Sets of Constraints 

DV-constraints can be manipulated using very efficient data-structures and ope- 
rations. We consider constraints over the variables {xi, . . . ,x„}. 

Each atomic DV-constraint ^xieY^i V k can be represented as a pair (b, k), 
where b is a bit-vector, i.e., b = {b\, . . . ,bn) and bi = 1 if Xi € Y, and 0 
otherwise. Thus, a DV-constraint can be represented as a set of pairs. Based 
on this encoding, the decision procedure of Corollary 2 can be defined using 
bitvector operations not and or. (1 denotes the bitvector containing only f’s.) 

Proc Entails( C5tri , cstr2: codings of DV-constraints) 
var s : integer 

for all pairs (b 2 , A; 2 ) in cstr2 
s := 0; 

for all pairs (bi,A;i) in cstrl 
if (not(bi) or b 2 ) = 1 then s := s + fci endif 
endfor 

if s < A ;2 then return false endif 
endfor; 
return true 

8 Examples 

In this section we present and discuss some experimental results. We first show 
some examples of systems and properties that we were able to verify automa- 
tically, and then we compare the execution times obtained by using different 
constraint systems. 

The protocol shown in Fig. 1 models a network of processes accessing two 
shared files (called ‘a’ and ‘b’) under the last-in first-served policy. When a 
process wants to write on one of the files all processes reading it are redirect 
in the initial state I. In the state I a process must send a broadcast before 
starting reading a file: in this case all writers are sent back to the state I (last- 
in first-served). Note that processes operating on ‘b’ simply skip the broadcast 
concerning operations on ‘a’ and vice versa. The protocol must ensure mutual 
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read(b)?? 




Fig. 1. Last-in first-served access to two resources. 



exclusion between readers and writers. The initial parameterized configuration 
of the protocol is 

l>l,Sa = 0,Sb = 0,Ea = 0, Eb = 0, = 0, Mfc = 0 . 

We prove that the unsafe configurations Sa > 1, Ma > I are not reachable. 

In Fig. 2, we describe a central server model [ABC+95]. Processes in state 
think represent thinking clients that submit jobs to the CPU. A number of 
processes may accumulate in state waitcpu- The first job requesting the CPU 
finds it idle and starts using it. A job that completes its service proceeds to 
a selection point where it continues requesting the I/O subs^em or leaves the 
central system. No specific policy is specified for the queues of waiting jobs. In the 
initial state of the broadcast protocol in Fig. 2 an arbitrary number of processes 
are in state think, whereas one process is respectively in state idlecpu, idledisk, 
noint- The protocol must ensure that only one job at a time can use the CPU and 
the I/O subsWem. The flow of processes is represented by a collection of rules 
over 17 variables (one for each state). The initial parameterized configuration of 
the protocol is 



Think > 1, IdlCcpu = 1, Idlcdisk = 1, No-int= 1, 
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CLIENT: 




CPU: 





stop?? 

return?? 



DISK: 



INTERRUPTS: 





Fig. 2. Central Server System. 



with all other variables equal to zero. We prove that the unsafe configurations 
UsCcpu > 2 is not reachable. 

Petri Nets can be seen as a special case of broadcast protocols where the con- 
straints generated during the analysis are in NA-form. Consider the Petri net of 
[Ter94] shown in Fig. 3, which describes a system for manufacturing tables (for 
instance, transition assembles a table by taking a board from the place pe 
and four legs from the place ps). The constraint-based representation introduces 
a variable for each place and for each transition. The variables corresponding 
to transitions count the number of times a transition is fired during the execu- 
tion. There is a rule for each transition. For instance, the rule corresponding to 
transition is 

P& 4, Pq = Pe — 1, Pz = P 5 — 4, Pp = Pr + 1 , i /4 = i /4 + 1 

In [Ter94] it is shown that an initial marking of this is deadlock- free (i.e., 
no sequence of transition occurrences can lead to a deadlock) if and only if it 
enables a sequence of transition occurrences containing ti at least three times 
and all other transitions at least twice. Based on this preliminary result we can 
then compute all deadlock-free initial states. They are exactly the predecessors 
states of the states 



Ti > 3, T 2 > 2, Ts > 2, '1\ > 2, Tz > 2, Te > 2 
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Fig. 3. Manufacturing System modeled as a Choice-free Petri Net. 



intersected with the initial states of the system, i.e., those such that Ti = 0 for 
all i and = Pe = Pr = 0. The result of the fixpoint computation is given by 
the following set of constraints 

Pi>10,P2>l,P3>2 Pi > 8, P 2 > 3 Pi > 12, P 3 > 2 

Pi > 6, P 2 > 5, P 3 > 2 Pi > 8, P 3 > 1, P 4 > 1 Pi > 6, P 4 > 2 

Pi > 6 ,P 2 > 1,P3 > 1,P4 > 1 



8.1 Compririson of Execution Times 

We have tested the previous examples on HyTech (polyhedra representation of 
sets of configurations, full entailment test), on Bultan, Gerber and Pugh’s model 
checker based on the Omega library for Presburger arithmetic [BGP97], and on 
the specialized model checker we have introduced in the paper (DV-constraint 
representation of sets of states, local entailment test). HyTech works on real 
arithmetic, i.e., it employs efficient constraint solving for dealing with linear 
constraints. The results are shown in the following table, where ‘Presb’ refers to 
the model checker of [BGP97], and ‘Bit Vector’ to our checker. 



Fig 


Rules 


Unsafe States 


Steps 


Bit Vector^ 


HyTech^ 


Presb^ 


1 


21 


S'. > l,Ma > 1 


2 


<ls 


<ls 


not tested 






UsCcpu ^ ^ 


7 


<ls 


5.5s 


40s 






UsCcpu ^ 3 


10 


<ls 


16s 


290s 


2 


9 


UsCcpu > 4 


13 


<ls 


40s 


1558s 






UsCcpu ^ ^ 


25 


15s 


578s 


not tested 






UsCcpu ^ 10 


31 


76s 


1738s 


not tested 


3 


6 


P U 3, Ai>i’ii > 2 


24 


1090s 


>6h 


19h50m 



^ On a Sun Sparc 5.6. ^ On a Sun Ultra Sparc. 
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9 Related Work 

The first algorithm for testing safety properties of broadcast protocols was pro- 
posed by Emerson and Namjoshi in [EN98], Their approach is based on an ex- 
tension of the Karp and Miller’s cover graph construction (used for Petri Nets) 
[KM69], In [EEM99], Esparza, Einkel and Mayr show that the algorithm may 
not terminate and propose a backwards-reachability procedure. The correctness 
of the procedure follows from general results on the decidability of infinite state 
systems by Abdulla et al. [ACJ+96], In [Kin99], Kindahl uses constraints as 
symbolic representation of upwards-closed sets for Petri Nets and lossy channel 
systems, but does not discuss the issue of finding adequate classes of constraints. 
Einally, Delzanno and Podelski [DP99], and Berard and Eribourg [BE99] have 
recently applied real-arithmetics to model checking of integer systems. 

10 Conclusion 

We have proposed linear constraints with disjoint variables as a good symbolic 
representation for upwards-closed sets of configurations of broadcast protocols. 
Experimental results shown that even a prototype implementation can beat tools 
for more general constraints. 

Acknowledgements We thank Tevfik Bultan for the experiments using his model 
checker based on Presburger Arithmetics [BGP97]. 
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Abstract. We consider the data complexity of various logics on two 
important classes of constraint databases: dense order and linear con- 
straint databases. For dense order databases, we present a general result 
allowing us to lift results on logics capturing complexity classes from 
the class of finite ordered databases to dense order constraint databases. 
Considering linear constraints, we show that there is a significant gap 
between the data complexity of first-order queries on linear constraint 
databases over the real and the natural numbers. This is done by prov- 
ing that for arbitrary high levels of the Presburger arithmetic there are 
complete first-order queries on databases over (N, <,+). The proof of 
the theorem demonstrates a simple argument for translating complexity 
results for prefix classes in logical theories to results on the complexity 
of query evaluation in constraint databases. 



1 Introduction 

Descriptive complexity theory studies the relationship between logical definabil- 
ity and computational complexity. In particular one looks for results saying that, 
on a certain class 1C of structures, a logic L (like first-order logic or least fixed 
point logic) captures a complexity class C. This means that (1) for every fixed 
sentence tp £ L, the complexity of evaluating 'ip on structures from /C is a prob- 
lem in the complexity class C, and (2) every property of structures in JC that 
can be decided with complexity C is definable in the logic L. Two important ex- 
amples of such results are Fagin’s Theorem, saying that existential second-order 
logic captures NP on the class of all finite structures, and the Immerman-Vardi 
Theorem, saying that least fixed point logic captures Ptime on the class of all 
ordered finite structures. Indeed, on ordered finite structures, logical character- 
izations of this kind are known for all major complexity classes. On the other 
hand it is not known, and one of the major open problems in the area, whether 
Ptime can be captured by any logic, if no ordering is present. We refer to [1, 10] 
for background on descriptive complexity. 

Up to now, descriptive complexity has been considered almost exclusively 
on finite structures. But the research program of descriptive complexity makes 
sense also for classes of infinite structures, provided that they admit a finite 
presentation. There have been a few studies of descriptive complexity theory on 
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infinite structures concerning, for instance, metafinite structures and complexity 
theory over the reals [3, 4], recursive structures [8] and, as we do in the present 
paper, constraint databases (see e.g. [12, 6, 5] and the references there). 

Constraint databases are a modern database model admitting infinite rela- 
tions that are finitely presented by quantifier-free formulae (constraints) over 
some fixed background structure. For example, to store geometrical data, it is 
useful to have not just a finite set as the domain of the database, but to include 
all real numbers ‘in the background’. Also the presence of interpreted functions, 
like addition and multiplication, is desirable. The constraint database framework 
introduced by Kanellakis, Kuper and Revesz [12] meets both requirements. For- 
mally, a constraint database consists of a context structure 21, like (»,<,+,•), 
and a set . . . ,ipm} of quantifier- free formulae defining the database rela- 
tions. We give the precise definition in the next section. 

When studying the data complexity of constraint query languages, it soon 
became clear that allowing recursion in query languages leads to non-closed or 
undecidable query languages even for rather simple context structures. On the 
other hand there are promising results for non-recursive languages in many inter- 
esting contexts. For the context structure (M, <) a Logspace data complexity 
for first-order logic has been established by Kanellakis, Kuper, and Revesz which 
was later improved to AC° by Kanellakis and Goldin [11]. In [12] it has also been 
shown that first-order logic still has data complexity NC if the context structure 
is extended by addition and multiplication. Thus first-order logic is well-suited 
as a query language for spatial databases where the context structure is the field 
of reals. 

In this paper we will consider the complexity of query evaluation in two 
important cases: (1) linear constraint databases, where the context structure is 
(M, <,+) or (N, <,+), and (2) constraint databases over dense linear orders. 

It turns out that the data complexity of first-order query on linear constraint 
databases depends heavily on the universe. The data complexity of first-order 
queries on databases over (M, <, +) is known to be in NC. It has been conjectured 
by Grumbach and Su [6] that this is also true for the context structure (N, <,+). 
We refute this conjecture here by showing that we find complete first-order 
queries for each level of the polynomial time hierarchy. 

As stated above, allowing recursion in query languages tends to result in 
undecidable languages. For instance, we will observe that this is the case for 
linear constraint queries over (M, <,+). An exception are dense order constraint 
databases, where the context structure is (R, <) (or any other dense linear or- 
der without endpoints). There we can incorporate recursion and still end up in 
decidable and closed languages. For instance, it has been shown in [12, 5] that 
inflationary Datalog with negation has Ptime data complexity and, in fact, 
that it captures Ptime on dense order constraint databases. We continue this 
line of research and present a general technique that allows to lift capturing 
results from the class of ordered finite structures to constraint databases over 
(R, <). This is done by associating with every constraint database over (R, <) a 
finite ordered structure, called the invariant of the database which carries all the 
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information stored in the infinite database. The finite database can be defined 
by first-order formulae and therefore with very low data complexity. A query on 
the constraint database can be evaluated in the invariant in such a way, that 
the result of the original query can be regained from the answer on the finite 
database with very low data complexity. Indeed the invariant is first-order inter- 
pretable in the original database, and this allows to translate any formula that 
represents a query on the invariant into an equivalent formula over the original 
database. In this way capturing results are lifted from ordered finite structures 
to dense order constraint databases. 

2 Constraint Databases 

The basic idea in the definition of constraint databases is to allow infinite rela- 
tions which have a finite representation by a quantifier-free formula. Let 21 be a 
r-structure, called the context structure, and (p{xi , . . . , x„) be a quantifier-free 
formula of vocabulary r that may contain elements from A as parameters. Let 
a := {i?i, . . . , i?/j} be a relational signature disjoint from r. 

We say that an n-ary relation R C A" is represented by (p(xi , . . . , x„) over 21, 
if i? = {(«!, . . . , On) : 21 1= '~p{a\, . . . , Un)}. A a-constraint database over the con- 
text structure 21 is an expansion 18 = (21, Ri, ... ,Rk) of 21 where all cr-relations 
Ri are finitely represented by formulae fR. over 21. The set # := {<PRi , ■ ■ ■ , fR^ } 
is called a finite representation of 18. The set of finitely representable relations 
over 21 is denoted by Rel fr (21) and the set of all constraint databases over 21 is 
denoted by Exp/r(2t). The signature r is called the context signature whereas a 
is called the database signature. 

By definition, constraint databases are expansions of a context structure by 
finitely representable database relations. Note that the same relation can be 
represented in different ways, e.g. (/3i := x < 10 A x > 0 and Lp 2 := (0 < 
xAx<6)V(6<xAx< 10) V X = 6 are different formulae but define the same 
relation. Two representations ^ and (R are iA- equivalent, if they represent the 
same database over 21. 

To measure the complexity of algorithms taking constraint databases as in- 
puts we have to define the size of a constraint database. Unlike finite databases, 
the size of constraint databases cannot be given in terms of the number of ele- 
ments stored in them but has to be based on a representation of the database. 
Note that equivalent representations of a database need not to be of the same 
size. Thus the size of a constraint database cannot be defined independent of a 
particular representation. In the following, whenever we speak of a constraint 
database 18, we have a particular representation of 18 in mind. The size |18| 
of 18 then is defined as the sum of the length of the formulae in <P. This cor- 
responds to the standard encoding of constraint databases by the formulae of 
their representation. 

Constraint queries. Let 21 be a r-structure and a a relational signature. 
A constraint query Q : ExpfrifR) RelfrifR) is a mapping from cr-constraint 
databases over 21 to finitely representable relations over 21. In the sequel we are 
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interested only in queries defined by formulae of a given logic £. In order to de- 
fine queries by £-formulae, we require the context structures to admit quantifier 
elimination for £. This means that every £-formula Lp is equivalent in 21 to a 
quantifier-free formula. If 21 admits quantifier elimination for £, then every for- 
mula . . . ,Xk) € £['tU(t] defines a query Q,^ taking a o-constraint database 

over 21 to the set {a e ^ V'(®)}) and the result of the query is itself 

finitely representable. 

Typical questions that arise when dealing with constraint query languages are 
the complexity of query evaluation for a certain constraint query language and 
the definability of a query in a given language. For a fixed query formula Lp <E C, 
the data complexity of the query is defined as the amount of resources (e.g. 
time, space, or number of processors) needed to evaluate the function that takes 
a representation of a database to a representation of the answer relation 

3 Linear Constraints 

In this section we consider linear constraint databases, that is, databases defined 
over the context structures (M, <, -h), (Q, <, +) or (N, <, +). The data complex- 
ity of linear constraint queries in the context of (M, <, -k) and (Q, <, +) has been 
studied by Grumbach, Su, and Tollu in [5, 7]. In [5] it is claimed that “first-order 
queries on linear constraint databases have a NCi data complexity.” 

First, we briefly discuss the possibility whether more powerful query lan- 
guages than first-order logic can be effectively evaluated on linear constraint 
databases. However, a simple argument shows that adding a recursion mecha- 
nism to first-order logic leads to non-closed or undecidable languages. For ex- 
ample, the (FO-kDTC)-formula nat{x) := [DTCj;_j,(x -k 1 = j/)](0,x) defines the 
natural numbers, and multiplication of natural numbers can be defined by the 
(FO-kDTC)-formula y, x) := \pTCuv,u'v'{u+l = u' /\v+x = u')](00, yx). 

It follows that Hilbert’s 10th problem (or the existential theory of arithmetic) 
can be reduced to the evaluation of existential FO+DTC-queries on linear con- 
straint databases. 

Theorem 1. Every query language over the context structure (M, <,-k) which 
is at least as expressive as existential FO-kDTC is undecidable. 

Thus the result by Grumbach and Su cannot be extended to query languages 
allowing recursion. We now show that the result does also not generalize to linear 
constraint queries over the natural numbers. 

Presburger arithmetic (PrA), the theory of the structure (N, <,-k), is well 
known to be decidable. Strictly speaking, we have to expand (N, <,+) by divis- 
ibility relations a \ x (for all parameters a € N), because otherwise the theory 
would not admit quantifier elimination and hence non-Boolean queries could not 
be evaluated in closed form. Note that a | x is of course definable in (N, <, -k) but 
not by a quantifier-free formula. However, we will show that even the evaluation 
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of boolean first-order queries is much more complex in the context of the Pres- 
burger arithmetic than on (K, <,+). This result relies on complexity results for 
fragments of PrA with bounded quantifier prefixes. Let Q := Qi • • • Qk he & word 
in {3, V}*. Then [Q]nPrA is the set of sentences of the form 'ip := Q\Xi ■ ■ ■ QkXk<f 
such that (N, <,+) \= tp and is quantifier-free. It has been shown [2, 15] that 
the complexity of such fragments of Presburger arithmetic may reside on arbi- 
trary high levels of the polynomial-time hierarchy. Essentially the evaluation of 
formulae with m -|- 1 quantifier blocks of bounded length is in the m-th level of 
the hierarchy. 

Theorem 2 (Gradel, Schoning). Let m > l,ri, . . . > 1 and rm+i > 3. 

Then, for odd rn, n PrA is Uf^^-eomplete, and • • • 

n PrA is Llff-eomplete. For even rn, [3’'^V’’^ • • . V’’ "*3’" n PrA is 
Up,^-eomplete and [V’'i3’'^ • • • n PrA is Llff-eomplete. 

The proof of the following theorem exhibits a simple argument for translating 
such complexity results for prefix classes in logical theories to results on the 
complexity of query evaluation in constraint databases. 

Theorem 3. Let 'p be a first-order boolean query on constraint databases over 
(N, Then the data complexity of p is in the polynomial-time hierarchy. 

Conversely, for each class Uf,, resp. Llf of the polynomial time hierarchy there 
is a fixed query p whose data complexity is U^-eomplete, resp. LLf -eomplete. 

Proof. We can assume that p = QiX\ ■ ■ ■ QkXk<p with cp quantifier- free and with 
database relations R\, . . . ,Rm. Given a database 18 = (N, <, -f-, i?l , . . . , Rm) 
where the database relations are represented by j3\,. . . over (N, let 

p' := unfold{p,%) be the unfolded query, obtained by replacing in p all oc- 
currences of R\,. . . , Rjn by the defining formulae fii,. . . ,pm. Since the pi are 
quantifier- free p' has the same prefix as p and length bounded by 0(|1B|) (given 
that p is considered fixed). Obviously IB |= V’ if and only \ip' [Qi ■ ■ ■ QA:]nPrA. 
Hence the data complexity of p is in the polynomial-time hierarchy (and actually, 
we can read off the level of the hierarchy directly from the prefix of p). 

For the second assertion of the theorem, consider any quantifier prefix Q = 
Qi ■ ■ ■ Qm- Let R be an m-ary relation symbol and let pQ be the query QiX\ ■ ■ ■ 
Qm.Xm.Rx I . . . Xmi. The decision problem for [Q] nPrA reduces to the evaluation 
problem of pQ on constraint databases over (N, -h, <). Indeed, for every sentence 
= Qix;\- ■ ■ Qm.x:m'p'{x;i, . . . ,xim) in FO(<,-|-), let 18^ be the { i?}-database 
over (N, <,+) such that is represented by p>' . The size of 18^ is bounded 

by the length of p>. Clearly, is true in (N, <,+) if and only if 18^ \= Pq. 

Hence, by choosing Q as indicated by Theorem 2, the evaluation problem for 
Pq is 27^-complete, resp. i7A:-complete. □ 

We have seen that first-order logic can express quite complex queries. We now 
consider sub-classes of first-order logic which can still be efficiently evaluated. 
It has been shown by Lenstra and Scarpellini (see references in [2]) that for all 
fixed dimensions t G N, [3*] n PrA and [V*] n PrA are in Ptime. Thus, by an 
argument similar to the one above, we can show the following theorem. 
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Theorem 4. Existential and universal boolean queries on eonstraint databases 
over (N, <,+) have Ptime data eomplexity. 

However, as soon as we admit queries with alternation depth two, the eval- 
uation problem is NP- or Co-NP-hard. This follows from a result by Schoning 
[15] who proved that [3V] n PrA is NP-complete, strengthening a result in [2]. 

4 Dense Linear Orders 

We now consider the complexity of query evaluation in the context of dense linear 
orders. We prove a general result which allows us to give precise complexity 
bounds for the data complexity of various logics such as transitive closure or 
fixed-point logic and to extend results on logics capturing complexity classes 
from the realm of finite ordered structures to constraint databases over dense 
linear orders. Given a fixed query, its evaluation in a database can be done by 
(1) transforming the database into a finite structure, called its invariant, (2) 
evaluating a slightly modified version of the query on the invariant, and (3) 
transforming the result of the evaluation to an answer of the original query. 

We fix the context structure 21 := (K, <) and a query V' of vocabulary {<}Uct 
with database signature a = {Ri,...,Rk}. Let C M be the (finite) set 
parameters that occur in 'ip. The query has to be transformed so that it can be 
evaluated in the invariant. This transformation is independent of a particular 
database and can be seen as a compilation or preprocessing step. To set up the 
evaluation method outlined above, we define two mappings. The first, inv, maps 
databases to their corresponding invariants; the second, tt, maps the answer of 
the query on the invariant to the answer of the original query. 



4.1 The invariant of a constraint database 

Definition 5. Let a := {ifi, . . . ^Rk} be a signature, be a cr-database over 
(K, <), P c R a set of elements, and b a tuple of real numbers. 

— The complete atomic type ofb over P with respeet to 18, written as atp'fpb), 
is the set of all atomic and negated atomic formulae <p{x) over the signature 
{<. Ri, . . . , Rk} using parameters from P such that IB |= (p{b) . We omit the 
index P if P is empty and denote by otp’^(b), resp. otp'f,(h), the complete 
atomic type of b (over P) with respect to 18 over the signature {<}. 

— A maximally consistent set of atomic and negated atomic a U {<}-formulae 
'p{x) is a complete atomic type (over P) in the variables x, if it is a complete 
atomic type (over P) of a tuple b with respect to a cr-expansion of 21. We 
write atp^{x), resp. atpp{x), for a complete atomic type (over P) in the 
variables x over the database signature c of 18. 

A type is an n-type if it has n free variables. We omit 18 if it is clear from the 
context. When speaking about types we always mean complete atomic types 
throughout this chapter. 
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We call complete atomic types over u U {<} also complete database types. 
Database types are of special interest here because the database type of a tuple 
b determines everything we can say about b in terms of the database, especially 
in which database relations b stands. 

Suppose IB is a database and T*® the set of parameters used in its defini- 
tion. Recall from the introduction that there are different ways to represent the 
database IB. The set of parameters used in these representations will generally 
differ from R®. We define a set of parameters, called the canonical parameters, 
which can be extracted from fB independent of its representation. 

Definition 6. Suppose IB = (K, <,Rf , . . . , R®) is a database. The set cp{^) c 
M of canonieal parameters of IB is the set of elements p satisfying the following 
condition. 

For at least one n-ary relation R G {R®, • • • , R®} there are ui, . . . , G M, an 
e G M, e > 0, and an e-neighbourhood S = (p — e,P+ e) of p such that one of the 
following holds. 

— For all (/ G <f, </ < p and for no q £ S,q > p we have Rd[p/q\. Here Rd[p/q] 
means that all components Oi = p are replaced by q. 

— For all q £ S,q > p and for no q £ S,q < p we have Rd[p/q\. 

— Rd[p/q] holds for all q G <f\{p} but not for q = p. 

— Rd[p/q] holds for q = p but not for any q G <f\{p}- 

Lemma 7. All eanonical parameters of% oeeur explicitly in all representations 
of^. 

In particular this implies that the cardinality of cp{%) is bounded by the size 
of any representation of fB. 

We show in the next lemma that an atomic order type over cp(fB) uniquely 
determines a complete database type. It follows that every two tuples realizing 
the same atomic order type over cp(fB) occur in the same database relations. 
Thus the parameter set cp(fB) is sufficient to define a representation of fB. 

Lemma 8. Suppose % is a database and a,fe G M* are two k-tuples. 

(i) //otp®( 5 j)(a) = otpfp^^.^(b), then atp®(a) = atp"^(b). 

(ii) If otpf^^^^j(ai) = otp®(gj)(fei) for all 1 < i < k and otp®(a) = otp'^fb), 
then otpf^^^.^ (b) = otp® (a) . 

(Hi) If R is a superset of cp(lB), then otpfp{b) = otpp{a) implies 

oip|(»)(a) = ofp|(»)(fc). 

Proof. The proof of the second and third part are straightforward. To prove the 
first part suppose for the sake of contradiction that atp^(b) and atp®(a) differ. 
Then there is an atomic or negated atomic formula cp such that fB |= p(a) but 
fB ^ p(b). If p is of the form Xi < Xj, then Oi < Oj but not hi < bj, which 
contradicts the assumption that otp'f^^^.^fb) ~ ofp®(®)(®)- 
Now suppose p is of the form Rxi ■ ■ - x^, where r := ar{R). Let C:= (cq, ci, . . . , ca;) 
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be a sequence of points in K*, such that for Cij := bj for all j < i and Cij := aj 
for all j > i. Thus ^ = a,Ck=b,ci = (fei, U2, • • • , a*), C2 = (6i, 62, as, • • • , a.*), 
and so on. Further, let L := {h, . . . ,h) be a sequence of lines such that the 
endpoints of k are Ci_i and c^. As IB |= <f{a) but IB ^ ‘f(b), there is an 
Ij that intersects both A® and Assume w.l.o.g. that Uj < bj. Let 

q := Cj-i. Then there is a p € M with aj < p < bj such that but not 
if®(/i, . . . , qj-i,p, qj+i, •••,<//£• We claim that there is at least one canonical pa- 
rameter d with aj < d < p. To prove this claim, let A := {a G K : aj < 

a and i?®</i, . . . , dj-io-'qjj-i, ■ ■ ■ ,qk for all aj < a! < a}. Let d be the supremum 
of A. Then, by Definition 6, c is a canonical parameter and aj < d < p. This 
proves the claim. Thus a and b do not satisfy the same complete order type over 
cp{%) which contradicts the assumption. □ 

One implication of the lemma is the following. Suppose we want to decide 
if Rd holds for a tuple a := a^,. . . ,ak and a fc-ary database relation R. The 
question can be answered if we know whether Rb holds for a tuple b := bi, ... ,bk 
such that a and b realize the same order type and each bi realizes the same 1- 
order type over cp{%) as Ui. This will be the central idea in the definition of the 
invariant. 

The relevant set of parameters that we need for the evaluation of V' on a 
database IB is T*® A ;= { 0 , 1} U cp(lB) U . The constants 0 and 1 are included 
because they will be needed in the definition of the invariant. 

Since is finite and Definition 6 of the set of canonical parameters can 
obviously be formalized in first-order logic, it follows that for any fixed tfj, the 
set T'®A is uniformly first-order definable over (IH, <,0, l,T”f). 

Lemma 9. There exists a first-order formula 6{x) of voeabulary {<, 0, 1, 
sueh that for every a-database IB = (M, <, i?® , . . . , i?®), P®’’^ = {a € M : IB |= 

We are now ready to define the invariant. Given a database fB, define an 
equivalence relation on M such that two elements a and b are '^-equivalent if 
and only if they realize the same 1-order type over P®A. As P®A is first-order 
definable the equivalence relation is first-order definable as well. The set of 
equivalence classes serves as the universe of the invariant. To complete the 
definition we have to specify the database relations. 

Before we give the detailed definition of the relations in the invariant, we 
illustrate the idea by an example. Consider a database IB with a single binary 
relation S represented hy cps{x,y) := x > lAx<8Aj/>0Ay < 6 Ay < x. The 
relation is shown in the following figure. 
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As explained above, the invariant depends not only on the database but 
also on the parameters used in the query 'ip. To simplify the example let ip be an 
arbitrary query with no extra parameters. Thus the set consists of the four 
elements 0, 1,6,8 and there are nine different '^-equivalence classes, namely the 
intervals (— oo, 0), {0}, (0, 1), {!}, (1, 6), {6}, (6, 8), {8}, and (8,oo). Recall that 
these equivalence classes form the universe of the invariant. Thus the relation S 
has somehow to be defined in terms of these classes. Obviously it is not enough 
to factorize S' by because as 5 5.1, the equivalence classes [5] and [5.1] are 

equal, but ([5.1], [5]) e S and ([5], [5]) ^ S. Thus would not be well-defined. 

Instead of simply factorizing a m-ary relation it by we consider the set Cu 
of (to+ l)-tuples ([ai], . . . , [a*], p), where [a^] e , 1 < f < m and p denotes an 
m-order type, such that ([ui], . . . , [dm], p) € Cr if and only if there is a 6 G K™ 
realizing p such that Rb holds and di bi for all 1 < i < m. In the example 
above, the set Cs consists of the set of all triples ([di], [d 2 ], p) such that [di] x [d 2 ] 
is in the rectangle marked by the dashed line in the figure and p is the order 
type X < y. 

The idea behind the definition of the relation in the invariant is to use the 
set Gr as a finite relation carrying all the information necessary to restore the 
original database relation R. 

Note that the set ordpm) of different m-order types is finite for all m. Thus 
we can assign to each order type p G ord(m) a binary word Pmip) € {0, 1}^(™) 
where £{m) := min{t : 2^ > \ord{m)\}. For m = 2 we define .^2 to be the encoding 
taking x < y to 00, x = y to 01, and y < x to 10. Once such an encoding 
is fixed, the set Cr can be represented by a set Cp := {([di], . . . , [d„],t) : 

([di], . . . , [dm],p) G Cr and p{p) = t}. This gives the definition of the relations 
in the invariant. 

Definition 10. Let a := {Ri,...,Rk} and be a u-database over (K, <). 
The invariant of is a finite structure with universe U over the signature 
where 

— U ■.= 1/^, 

— [x] < [y] if and only \t x < y and x ^ y, and 

— If i? G cr has arity m, then the corresponding relation R' has arity rn + £{rn) 

and i?'[di] . . . [dm]ti . . . tr(m) holds in 18^ iff there are fei, . . . , fe™ € M with 

Pm{otp{b)) = ti ■ ■ ■ ti(^rri.) SO that Rf' b\ ■ ■ - bm and [di] = [fei] for 1 < i < m. 

The mapping inv is defined as the function taking databases to their invariants. 

We also need a function taking the finite encoding of relations back to their 
representation. 

Definition 11. Let S' be a (m -f t'(m))-ary relation of the form indicated by 
Definition 10. The function 

m 

it : S ^ psixi , . . . ,x„) := \J {a^{x,t) A f\ {xj dj)), 

dtPpS j = ^ 
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maps S' to a formula Lps representing the corresponding relation on the origi- 
nal database. Here am{x,i) is a formula stating that x satisfies the order type 
specified by i. The corresponding function mapping relations on the invariant to 
finitely representable relations over the database is tt : S' {a : 21 |= 7r(S)[a]}. 

Lemma 12. The invariant inv{%) is an ordered finite strueture whose cardi- 
nality is linearly bounded in the size of any representation of IB . 

Proof. For any set F, the number of 1-order types over F is 2\F\ + 1. The 
cardinality of inv{%) is the number of 1-order types over F'^’’^. Recall that 
= \cp{m)\ + o{i) (since ip is considered fixed) and that the size of cp{%) 
is bounded by the size of any representation of IB. □ 

Corollary 13. The functions inv and tt can be computed in Logspace. 

Proof. The LoGSPACE-computability of inv is a direct implication of the previ- 
ous lemma and a result by Kanellakis, Kuper and, Revesz stating that first-order 
queries can be evaluated in Logspace. For tt, let S be a (m-|- t'(m))-ary answer 
of a query on an invariant. As an implication of the previous lemma, the size of 
S' is polynomially bounded in the size of any representation of IB. All the algo- 
rithm to calculate tt{S) has to do is to output the disjunction of the formulae 
(cr™(x,i) A A,ii {xj aj)) for every tuple ai <E S'. Clearly, this can be done in 
Logspace. □ 

4.2 The transformation of the qnery 

Having defined the invariant of a database, we have to explain how the query 
has to be transformed for evaluation in the invariant. This translation of the 
formulae follows the same ideas described above, namely to increase the arity 
of the relations to store the order type. While translating a formula with free 
variables {xi, . . . , x^.} we introduce new free variables i to hold the order type. 

It will be necessary to compare order types over a different number of vari- 
ables. Suppose that pi,p 2 are order types in the variables xi, . . . , x^, and xi, . . . , 
x„, respectively, where rn < n. We say that p 2 extends pi, if pi C p 2 . This means 
that the order type p 2 behaves on xi, . . . , x^, in the same way as p\. In the query 
transformation we need a formula extendsmn{i,j) stating that i := ii, . . . ,*£(„) 
codes some m-order type pi, j := R, . . . , codes a n-order type p 2 , and p 2 
extends pi. The formula is defined as 

extendSmn{i,j) ■= \/ {^n.{p 2 ) = j ^ Y ^m{pi)=i). 

P 2 ^ 0 rd{n) p\^ord{m) 

P'2 extends p-^ 



Definition 14. Suppose ci is a database schema and r the signature of the 
invariants corresponding to o-databases. Further, let £ be a logic from {FO, 
FO+DTC, FO+TC, FO+LFP, FO+PFP}. / : C[a] £[r] is defined induc- 
tively as follows. 
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— Let 'tlj{x,y) := X <y. Then {f'tjj){x,y,ii,i 2 ) := x <y Ai\ = 0 A *2 = 0. 

— Let %l7(x) := X < c. Then {f'tjj){x, i) := x < [c] A i = 0. 

— An equality tlj{x,y) := x = y is translated to (/V')(a^, J/Ai A 2 ) := x = yAii = 
0 A *2 = 1- 

— An equality 'i/j(x) := x = c corresponds to {f'tjj){x, i) := x = [c] A i = 0. 

— Let 'tp{xi, . . . ,Xj) := RiU\ . . .Um where the Ui are either constants or vari- 
ables from {xi, . . . , Xj} and all x^ occur in {ui, . . . , Then 

{ oc u — oc 
[c\ it Ur = c. 

- Let • • -,Xra) := A V' 2 ( 2 ;i, • • where all y., and Zi 

occur in x. Let i := ii, . . . i and j' := j{, . . . 

Then {ftp){x,i) := 3j3j' extends^^^{j ,i) Aextends^^^{j' ,i) A{ftpi){y,j) A 

- For := -. 93 , set (/V') := “'(/a)- 

- Let tpixi, . . . ,Xm) ■■= 3y_(f{x,y). Then (/V')(xi, . . . ,x™,i) := 3y3ji,..., 

(a J ) A (/a) ( a-? Z/? J ) • 

- Let ip{u,v) := [DTCs,yA(S, !/)](«, ^)- 

Then (/V>)(M,x,i) := [DTC^^^yj{fr){x,y,j)]{u,v,i). 

- Let V'(m) := [LFP_r^sA(^;^)](w)- 

Then (/V>)(Fj) := [LFP^,_,j(/v 3 )(i?',x J)]( mJ). 

— The rules for the TC, IFP- and PFP-operators are defined analogously 

All parts of the evaluation algorithm have now been defined. The next theo- 
rem proves its correctness. 

Theorem 15. Let 'ip £ C, where C is one of the logics in Definition If, he a 
query, % he a database over (R, <) and := inv{%) he the invariant corre- 
sponding to %. Then V’® = '?r((/V')® )• 

Proof. The proof is by induction on the structure of the query. The argument for 
the boolean operations is straightforward and therefore omitted. Also, we only 
give the argument for the LFP-operator and omit the cases of formulae built by 
DTC, TC, and PFP-operators which are treated in precisely the same way. 

• For tp{x, y) := X < y, the set V'® contains the pairs (a, b) <E R^ such that a < b. 
By definition, f{'tp) is x < y A ii = 0 A i 2 = 0. Evaluating {f'tp) on 18' results in 
the set C := {(a,b,ii,i 2 ) : a < b,i\ = 0,^2 = 0}. Transforming this set with 
the mapping A yields the formula Ac{x,y) := V(a, 5 ,ii,i 2 )ea(^ 2 (a^,Z/Ai A 2 ) Ax -- 
a Ay ^ b). As ii and *2 are 0 for all tuples (a, 6 , ii, * 2 ) G C, (T 2 (x,y, ii, * 2 ) reduces 
to X < y and thus '/r(C') equals {(a, fe) € R^ : a < fe}. 

• Let %p(x) := X = c. Then {f%p)(x,i) := x = [c] A i = 0 and {f'tp) evaluates 
on IB' to the set C := {([c],0)}. Thus Tr(C') results in the formula <f{x) := 
(Ti(x,0) Ax ^ c. This formula is satisfied only by c because c £ P and therefore 
the only member of [c] is c itself. We get tt{C) := {c} = -i/'®- 
• Let ipfxi , . . . , Xj) := RgUi . . . as in Definition 14. We assume w.l.o.g. that 
the first arguments of the relation are the variables and the parameters come 
thereafter, that is mi = xi,...,Uj = Xj and = c\,...,Uyn = Cm-j- The 
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transformed query is (/V')(a^i , . . . ,Xj,i) := R'^xi . . . Xj[c\] . . . [cm~j\i- Evaluating 
f{'tp) on iB' yields the set C := {([ui], ■ ■ ■ , [aj], [ci], . . . , [cm-j],i) € }. Now 

we have to show that 7 t(C') = -i/’®- Suppose that (ui , . . . , am) € '?r(C'). Then there 
is a disjunct := cJm(xi, . . . ,Xm,i) A !\^{xr K) in Tr(C') with (b,i) e C and 
iB 1= p>{a). As (6,i) G A ® and therefore, by Definition 10, (ui, . . . , am) & A® we 
get a G V'®- Conversely, suppose that (ai, . . . , am) € A®. Then ([ui], . . . , [a™],*) 
is in A ® , where ^m{otp{a)) = i, and am{x,i) A /\^ar ^ Xr occurs as a disjunct 
in d(C'). Obviously this formula is satisfied by a and therefore a G '?r(C'). 

• Let 'tp{xi, . . . ,Xm) ■= ^y‘f{x,y). The transformed formula is {f'tjj){x,i) := 



^y^ji,---,je{m+i)extendm(m+i){hj)^{f'P)ix,y,j). Suppose that (ai,...,aA,) G 
V'®. This is the case if and only in there is an Um+i with (ai, . . . , a™, Um+i) G (/J®. 
By induction (/9® = 7 t((/(/ 9)® ). Thus there is a tuple ([ui], . . . , [um+i], j) G 
(/(/j)® and (ai, . . . , Um+i) satisfies the (m+ l)-order type p denoted by j. This 
is the case if and only if there is a tuple ([ui], . . . , [um],*) G (/V')® such that p 
extends the order type denoted by i. Thus we get that (ai, . . . , a,m) € lA® if and 
only if ([ui], . . . , [a™],*) G (/V')® > where (ai, . . . , a,m) satisfies the order type 
denoted by i. This implies that V'® = '?r((/V’)® )• 

• Finally, let V'(fl) •= [LFPij_^(/9(if, x)](u). straightforward. We can assume that 
Lp does not contain an LFP-operator. The proof then is straightforward. □ 
Now all parts of the evaluation method are defined. We illustrate the method 
in the following figure. 

® ^ ^ (»,Q(»)) 
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To evaluate the query Q (considered as being fixed) in the database iB, the 
invariant := inv{%) is constructed, the transformed query Q' := f{Q) is 
evaluated in iB^ and the result is transformed back via the map tt. By Corollary 
13 the mappings inv and tt are LoGSPACE-computable. Thus we get the following 
theorem. 



Theorem 16. Suppose L G {FO,FO+DTC, FO+TC, FO+LFP, FO+IFP, 
FO+PFP} is a logic and C a complexity class so that the evaluation problem 
for C on finite databases is in C. Then the evaluation problem for C on dense 
linear order databases is also in C. 



4.3 Capturing complexity classes 

We now use the invariant to lift the capturing results of descriptive complexity 
theory from finite ordered structures to dense linear order databases. The crucial 
observation is that inv{%) is interpretable in iB. In particular, this will give us a 
transformation from formulae over the invariant to formulae over the database. 
See [9] for background on interpretations. 
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Definition 17. Let := (K, <, , . . . , -K®) a database with signature u over 

(K,<), let = inv{%) its invariant, and r be the signature of the invariant. 
The interpretation T interpreting in is given by 

(1) a surjective function fr-K.^U defined as /r(x) := [x], and 

(2) for each atomic r-formula . . . ,Xm) a formula , x^) € 

FO [cr] such that for all tuples a e M™: 18' |= if and only if 18 |= 

'!pr{a)- 

An equality u = v e FO[r] corresponds to u ^ v, where u,v denote either 
variables or parameters from (recall that is first-order definable). The 

translations for all other atomic formulae is given according to Definition 10. 
That is, a formula u < v e FO[r] corresponds to m < u A -lU v and R'^xi to 

RsV A iJar(R ) {y, i) ^ /\ -{xj Vj)- (Recall the definition of Ok from Definition 

11 ). 

We can now replace in any formula V' of vocabulary r in first-order logic, 
transitive closure logic or fixed point logic the atomic formula by their corre- 
sponding formulae and obtain a o-formula V’r- The equivalence between 'ip and 
%pr in part (2) of the definition thus extends to arbitrary formula in these logics. 

We are now ready to lift the capturing results from finite ordered struc- 
tures to dense linear order databases. Clearly, every, say, FO+LFP-query tp is 
invariant under automorphisms on 21 that preserve the constants in ip. Thus we 
can only hope to capture those PTiME-queries which are invariant under such 
automorphisms. This is made precise in the following definition. 

Definition 18. A complexity class C is captured by a logic £ on the class of 
dense order databases, if for all queries Q in C for which we can choose a finite 
set S' C M such that Q commutes with every automorphism on (M, <, S), there is 
a formula 'p in £ satisfying the following property: For all dense order databases 
i8 we have that Q(58) is true iff i8 \= p. 

Theorem 19. Let C be a logie as in Theorem 16 and C be a eomplexity class 
such that C captures C on the class of finite ordered structures. Then C captures 
C on the class of dense order databases. 

Proof. We give the proof explicitly only for FO+LFP. The other cases can be 
proven analogously. We have already shown that FO+LFP C Ptime. For the 
other direction, suppose that Q a polynomial-time computable query on dense 
order constraint databases of signature a. We show that there is an FO+LFP [c]- 
formula pq defining Q. 

Again let r denote the signature of the corresponding invariants. Let Q' be 
the query that takes invariants invPB) of databases i8 as inputs and returns 
as output the set Q'^B') := {fr{d) : a, e Q(®)}. Clearly Q' can be computed 
in polynomial time, since a representation of the database i8 whose invariant is 
given as the input can be computed in Logspace and since Q is a PTiME-query. 
(Note that in contrast to the algorithm of the previous section this algorithm con- 
structs the database from the invariant and evaluates the query in the database. 
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whereas the algorithm in the previous section constructs the invariant from the 
database and then operates on the invariant.) 

Since Q' is a PTiME-query on finite ordered structures, there exists by the 
Theorem of Immerman and Vardi (see [1, 10]) an FO+LFP [r]-formula that 
defines Qb By the remarks above, there exists a formula cpr € FO+LFP [ct] such 
that for all a e M™, inv{%) \= +(/r(fi)) iff 18 ]= +r(d). Thus 18 |= +r(a) if and 
only if a G Q(18). This proves the theorem. □ 

The following table summarizes the relations between logics and complexity 
classes in the context of dense linear orders. 

Logics and complexity classes in the context of dense linear orders. 

FO+DTC = Logspace 
FO+TC = NLogspace 
FO+LFP = Ptime 
FO+PFP = P SPACE 

5 Summary and Further Results 

In the main result of this paper we presented a general method to prove com- 
plexity bounds for query languages over dense order databases. The idea was 
to code the finitely represented database as a finite database and then use the 
evaluation algorithms available for the query language on finite databases. It 
turned out that this encoding can be defined by first-order formulae using only 
the order predicate and some very limited kind of arithmetic. It can therefore 
be done with very low data complexity. This method enabled us to evaluate 
queries for various query languages within the same complexity classes as for 
finite databases. 

This method also works for databases defined by inequality constraints over a 
countable infinite set. By a simple argument based on Ehrenfeucht-Fra’isse games 
we can also prove that the various fixed-point logics considered before are too 
weak to express all LoGSPACE-computable queries. 

Unfortunately the good results for dense order databases cannot be extended 
to linear constraint databases over the reals. As soon as we admit recursion in 
the query language the arithmetic over N becomes definable and thus the query 
language undecidable. 

The situation changes drastically if structures with a discrete order as uni- 
verse are considered. It is known that positive DATALOG-queries on discrete order 
databases can be evaluated in closed form (see [14]) but the data complexity is 
still unknown. For first-order queries a better result can be shown. 

Theorem 20. First-order queries on diserete order databases ean be evaluated 
in Logspace. 

See [13] for a proof of the theorem. In Section 3 we have shown that the 
data complexity of first-order queries over (N, <,+) is in the polynomial time 
hierarchy and that there are complete first-order queries for all levels of PH. 
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As in the case of the context structure (K, <,+), adding recursion to the query 
language leads to undecidable query languages. Of course, even first-order queries 
are undecidable if we also add multiplication to the context structure. 

The following table summarizes the results. The NC bound for first-order 
queries on databases over the field of reals comes from [12]. Note that only in 
the case of (M, <) we have precise capturing results. The other cases are just 
complexity bounds. 





inequality 


(K,<) 


(*,<,+) 


(*,<,+,•) 


(N,<c) 


(N,<,+) 


(N, <,+,•) 


FO 


AC" 


AC" 


NC 


NC 


Logspace 


PH 


n.d. 


FO-tDTC 






n.d. 


n.d. 


n.d. 


n.d. 


n.d. 


FO-tTC 






n.d. 


n.d. 


n.d. 


n.d. 


n.d. 


FO-tLFP 


Ptime 


Ptime 


n.d. 


n.d. 


n.d. 


n.d. 


n.d. 


FO-tPFP 


PSPACE 


PSPACE 


n.d. 


n.d. 


n.d. 


n.d. 


n.d. 



n.d. = not decidable 
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Applicative Control 
and Computational Complexity 

Daniel Leivant 

Abstract 

We establish a tight correspondence between three major complexity 
classes and simple syntactic restrictions on applicative programs in the 
simply typed lambda calculus with a recurrence operator. The syntactic 
restrictions considered are: recurrence arguments cannot be passed as com- 
puted values (“input-driven terms”), abstracted higher-order variables can 
appear at most once (“solitary terms”), and abstracted variables cannot 
be eventually nested (“separated terms”). 

We show that the functions over word algebras represented by input- 
driven terms are precisely the poly-time functions (a result akin to [8] 
(Chapter 24.2)). When input-driven recurrence is permitted over all hnite 
types, the elementary functions are obtained (a result akin to [1]). When 
terms are further restricted to solitary ones, even recurrence in all hnite 
type yields only the poly-time functions. Finally, separated terms generate 
exactly the poly-space functions. 

The interest in the approach discussed here lies in its simplicity: the 
complexity characterizations are based on restricted use of standard ap- 
plicative constructs, rather than a syntactic overlay as in ramihed recur- 
rence [3, 12, 15, 7, 21]. However, approaches based on ramihed recurrence 
are more powerful than simple syntactic control, as well as more con- 
ceptually and methodologically coherent. Thus, the two approaches are 
complementary and of independent interest. 



1 Introduction: Background and results 

Intrinsic computational complexity. 

Traditional computational complexity, based on resources such as computa- 
tion time and space, has been matched in recent years with “implicit”, i.e. machine- 
independent and conceptually anchored, measures of complexity, such as the de- 
scriptive complexity of problems (finite model theory), the complexity of declar- 
ative programs (types, limited recurrence operators, bounding conditions), and 

* Indiana University, Bloomington, IN 47405. leivant@cs.indiana.edu. Research partially 
supported by NSF grants CCR-9309824 and DMS-9870320. The author is grateful to Martin 
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related to this work. 
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principles needed to prove program convergence (e.g. restricted induction or 
set-existence).^ Implicit characterizations of major computational complexity 
classes are appealing both for the theoretical insight they provide and for their 
potential applications. Conceptually, these characterizations link computational 
complexity to levels of definitional and inferential abstraction of significant inde- 
pendent interest. They also lend credence to the importance of the complexity 
classes characterized, yield insight into their nature, suggest new tools for sep- 
arating them, and provide a framework for complexity theory for higher type. 
Practically, implicit computational complexity permits the streamlined incorpo- 
ration of computational complexity into areas such as formal methods in software 
development, programming language theory, and database theory. 

Applicative control 

This paper is a contribution to an approach to implicit computational com- 
plexity which we dub applicative control. The idea is to syntactically restrict 
applicative programs so as to guarantee their computational complexity. Indeed, 
the restrictions sought characterize major complexity classes, such as poly-time, 
poly-space, and Kalmar-elementary. This approach was recently studied by Neil 
Jones, in his monograph [8] (Chapter 24.2), and Beckmann and Weiermann, in 
their forthcoming [1]. Jones characterizes poly-time by recurrence with “read- 
only” variables, and [1] characterizes the (Kalmar-) elementary functions by a 
combinatory variant of Godel’s system T. Here we offer a uniform discourse 
for the method, giving simple proofs for the results of [8] and [1], as well as a 
control-based sub-calculus of [21]. Our main technical contribution is the char- 
acterization of poly-space by syntactic restrictions on applicative programs. 

Relations with ramification. 

The applicative control approach is closely related to the restriction of recur- 
rence in applicative programs by an overlay of “ramification” , or “ data tiering” . 
The motivation there is foundational: Recurrence schemas reflect different uses 
of data in computing, as was pointed out independently for recurrence [3], func- 
tional recurrence [23], lambda representability [9], and second order provability 
[11]. Notably, Bellantoni and Cook [3] formalized this distinction and obtained 
a functional characterization of poly-time that does away with the bounding 
condition of [5]. In [10] we outlined a predicative-finitistic critique of recurrence 
that leads to a generalization of [3], using a general form of ramified data and 
ramified recurrence. Variants of this method have been used to characterize, 
among others, alternating log time[4, 19]), alternating poly-log time [4], linear 
space [10, 6, 12], NP, the poly-time hierarchy [2], poly-space [17], (Kalmar-) ele- 
mentary time [15], and NC [14]^. Recently, Martin Hofmann [7] and Bellantoni, 

^Recent workshops dedicated specifically to implicit computational complexity include Im- 
plicit computational complexity in programming languages (Baltimore, September 1998) and 
Implicit computational complexity (TVento, June/July 99). 

^Data ramification underlies also the characterizations of poly-time by set-existence prin- 
ciples [11], by typed A-calculi [16], and by a proof theoretic ramification [13]. 
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Niggl and Schwichtenberg [21] have developed calculi that allow recurrence in 
higher type, and yet define only poly-time functions. To achieve this the use of 
tiers in types is refined by the use of modal operators, which make it possible 
to regulate the control flow of the computation, notably in forbidding repeated 
use of arguments. 

These two approaches, ramification and syntactic-control, represent a trade- 
off. Ramification is a more powerful method, allowing more A-terms to be typed. 
It is also more methodologically coherent, as it is closed under basic syntactic op- 
erations such as reductions and (type-correct) substitution. Also, ramification is 
natural also for proof systems, and those often map via Shonfinkel-Curry-Howard 
morphism to ramification of applicative programs, establishing an elegant and 
illuminating link between the proof theoretic and the algebraic approaches to 
implicit computational complexity. On the other hand, the syntactic control 
approach captures the combinatorial issues in hand in their simplest and purest 
forms. This simplicity, aside from its pedagogical interest, is of potential prac- 
tical value, as it can be automatically recognized. 

Apparent shortcomings of the syntactic control approach may be less conse- 
quential than may first seem. For example, the restrictions considered do not 
necessarily block the use of central notions of functional programming, such as 
modularization or internalization of patterns as higher-order functions. While 
the restricted terms are not necessarily closed under substitution, it is often 
possible to factor the construction of A-terms that do not satisfy the restriction 
considered into composition of terms that do, implying that the given terms 
also fall into the complexity classes characterized, albeit not satisfying the given 
syntactic properties. To capture these more general cases one may require the 
programmer to use let constructs whose components satisfy the syntactic re- 
strictions. Alternatively, the factoring of a given term may be done automat- 
ically in some cases, a task which albeit not in linear time is still of low time 
complexity. 

In summary, ramification and syntactic-control are complementary tech- 
niques for incorporating computational complexity concerns in programming lan- 
guage methodology. Conceptually ramification is more coherent, and of greater 
theoretical interest. However, algorithmically syntactic-control is an attractive 
option for compile-time inference of computational complexity of functional pro- 
gram, and deserves independent study. 

Plan and results. 

The plan of the paper is as follows. We start by formulating variants of 
the results of [8] and [1], with as underlying formalism the simply typed A- 
calculus with a recurrence operator. We offer simple proofs of these complexity 
characterizations, and unravel their similarity. We then consider in section 3 
a characterization of poly-time that permits recurrence in higher type, namely 
by prohibiting multiple uses of abstracted higher-order variables. This restric- 
tion has been considered in the context of ramified formalisms in [21] and [7], 
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where it is expressed in a typed A-calculus with modalities. Finally, we present 
in section 4 our most novel technical contribution, a control-based characteri- 
zation of poly-space. Here the restriction on abstracted higher-order variables 
is looser: these are permitted to have multiple uses, but not in a way that can 
lead to their being nested after reduction. This is analogous to our work with 
Marion on characterization of poly-space by predicative ramified recurrence in 
higher type [17, 18]. Our result here seems to be of some interest also for the 
pure simply- typed lambda calculus (recurrence aside), as it exhibits a simple 
syntactic condition, viz. separated terms, for which normalization can be per- 
formed in polynomial space (for all terms of a given type complexity), compared 
to elementary time for arbitrary typed A-terms. 



2 Input-driven function representation 



2.1 Terminology and notations 

• lA = The simply typed lambda calculus, with /?-conversion. 

• 1A(W) = lA with basic functions and reductions for the algebra W of 

words over {0,1}. I.e. lA augmented with a constant e : o, constants 
0,1, p : 0—^0 (successors, predecessor) and d : (discriminator), and 

with the added reductions 



p{0E) 


=k 


E 


p(lit’) 


=A 


E 


P(e) 


=b 


£ 


deEFG 


=k 


E 


d{0A)EFG 


=b 


E 


d{lA)EFG 


=k 


G 



• lAR(W) = 1A(W) augmented with a recurrence constant^ R : o, o — ^ 
o, o— ^o, o — ^ o, and the added reduction rules 

UsEqEiE^ E^ 

K{OA)EoEiEe =A Eo(RAEoEiEe) 

K{lA)EoEiE^ Ei{KAEoEiE^) 

Note that focusing on word algebras is the natural thing to do, because 
computational complexity measures are defined for symbolic computing 
(on Turing machines), i.e. computing over word algebras. 



®The recurrence operator is here “monotonic” , i.e. iteration with parameters. 
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• 1AR‘^(W) is lAR(W), but with recurrence constants R^ : o,t ^ ^ 

T,T ^ T for each type r, and reduction rules as above for them. We dub 
the first argument of R^- the recurrence argument. 

Abbreviating Ro by R, lAR(W) is a sub-calculus of 1AR‘^(W). 

For each calculus we denote by ^ the reflexive, symmetric, and transitive 
closure of the reduction relation =^, performed on terms as well as subterms. 
A function / : W’’ — ^ W is represented in lAR(W) (or 1AR‘^(W)) by a term 
E if for all ui . . . € W, Eui • • • ^ /(ui, . . . , u^) in lAR(W) (lAR'^(W), 

respectively). If prop is a syntactic property of terms, we say that / is prop- 
representable if / is represented by some term E = Xxi . . .Xr-E where E is 
PROP. (NB: we refer here to E, not to E.) 

2.2 Poly-time and input driven representation in lAR(W) 

A term E of 1AR‘^(W) is input driven if no recurrence argument W in E 
has a free variable bound in E. For instance, R(Az.R 2 ;l 2 ;)(A 2 ;.R 2 ;l 2 ;)(le) (which 
represents a function of exponential growth) is not input-driven. 

Lemma 2.1 Every poly-time function is input-driven-representable in 1AR(W). 

Proof. A direct proof can be obtained from the proof in [12] that two-tier re- 
currence captures poly-time, with insignificant modifications. Alternatively, one 
can prove that if E us a normal term of lAR(W), with a two-tier ramification, 
must be input-driven. The proof is by structural induction on E. H 

To prove the converse implication, we use the following auxiliary notion. Say 
that a term E is strictly-input-driven if every recurrence argument in is a free 
variable of E. 

Lemma 2.2 Iff is a function input-driven-representable in 1AR(W ) (or 1AR‘^(W) ) 
then f can be explicitly defined (i.e. using multi-valued composition) from func- 
tions that are strictly-input-driven-representable in 1AR(W) (in 1AR‘^(W), re- 
spectively). 

Proof. Suppose that / : W’" — ^ W is represented by Ax. E, where E is input- 
driven. We prove the claim by induction on the size of E. Let Ai, . . . , Am be 
the recurrence arguments in F, which are not within the scope of more than one 
recurrence (as is, for instance, A in I{.{I{.ABCD)xyz). Since E is input-driven, 
all free variables in these Afs are in x. By induction assumption, each term 
Xx.Ai represents a function ai that is definable by composition from functions 
that are strictly-input-driven-representable. 

Let zi, . . . ,Zmbe fresh variables, and let E be E with Ai replaced by Zi (i = 
1 . . .m). Then Xxz.E strictly- input-driven represents a function / : ^ 

W, and f(x) = f (x, ai(x), . . . , am{x). Since each ai is explicitly definable from 
functions that are strictly-input-driven-representable, this completes the proof. 

H 
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Lemma 2.3 Every function strictly-input-driven-representable in lAR(Wj is 
poly-time. 

Proof. We shall prove in 3.12 a stronger result, but it is worth outlining a simple 
proof of the present statement. First, observe that if E is a strictly-input-driven 
normal term of lAR(W), of type o’" — ^ o, then all subterms of E are of rank 
< 1, except for terms of the form R, Rm or R£io-^ This is straightforward by 
structural induction on E. 

Now prove that every normal strictly-input-driven term E whose A-closure — 
with respect to variables other than the input variables — has type of rank < 2 
maps functions that are computable in time polynomial in the input variables 
and constant in the (m) formal arguments to the same sort of functions. This 
is proved by structural induction on E, using the observation above. H 

Combining Lemmas 2.1, 2.2, and 2.3 we obtain 

Theorem 2.4 A function is input- driven-representable in 1XR(W) iff it is poly- 
time. 

Theorem 2.4 is close to a characterization of poly-time proved by Jones [8]. 

2.3 Linear space and representation over N 

While we focus on recurrence over word algebras, it is of interest to consider 
recurrence over the algebra of unary numerals, i.e. the set N of the natural num- 
bers. Here the base constant is written as 0 (rather than e), and the unique 
successor function is denoted by s. The discriminator function is similarly mod- 
ified, to a ternary function, and the recurrence and discriminator reductions are 
restated accordingly. See e.g. [12] for details. Write lAR(N) for the resulting 
calculus. 

The result analogous to Theorem 2.4 is then: 

Theorem 2.5 A function over N is input-driven-representable in lAR(Nj iff it 
is computable in linear space, i.e. iff it is in level £2 of the Grzegorczyk Hierarchy. 

We omit the proof, which parallels that of Theorem 2.4. 

2.4 Elementary functions and input-driven representation 
in 1AR‘^(W) 

We extend the notions of input-driven and strictly-input-driven terms to 

lAR'^(W). 

^The rank of a type is the count of negative nestings of — mk(0) = 0, and rnk (a — > r) = 
max(l + rnk (a), rnk (r)). 
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A function / over W is Kalmar- elementary iff there is a A; > 1 such that / is 
computable in time 0(2fc(n)).® 

Lemma 2.6 Every Kalmar-elementary function over W is input-driven-representable 
in 1AR‘^(W). 

Proof. . Let ti =df o— ^o, Tk+i =df T~k^Kk- Define 

Dk =df Xn.fof = XfXv.fU{^)), 

a term of type rfe+i- For a term A of type write A” for the n-fold iterate 
of A, i.e. A^B is an abbreviation for A{A{- ■ ■ A{B) •••)), with n oeeurrences of 
A. Thus the term ILri^uDkDkA converts to {Dk)^A (where n = |u|), which in 
turns converts to . Define now the input-driven term 

Ek — df f^k^^k^k — 1 ' ' * Bife 

of type 0 —^ 0 . Then Xu.E^ represents 2^ in unary: using h as an abbreviation 
for l"e, we have Liu ^ 2k{n) whenever |u| = n. 

Now that we have a “elock” for 2^, the simulation of eomputation in time 
0(2fe(n)) ean be driven as in the representation proof for Kalmar-elementary 
functions by higher order ramified recurrence, in [15], H 

Lemma 2.7 Every function f strictiy-input-driven-representable in 1AR‘^(W) 
is computable in elementary time. 

Proof. Let E = XxE represent / : W’"— in 1AR‘^(W). Let E arise from 
E by renaming variable oeeurrences, so that every recurrenee argument is a 
different variable. Thus F represent a function / of arity > r, and from which 
/ is obtained by identifying arguments (i.e. diagonalizing). 

Replacing in F every subterm of the form R.^a^ by a variable x of type 
(r— ^r)^,r — ^ r, we obtain a representation of / in 1A(W), with input repre- 
sented by Bohm-Berardueci terms at various types, and output at type o. As 
observed in [15], such functions are computable in elementary time. Thus / , 
and whence also /, are eomputable in elementary time. H 

Combining Lemmas 2.6, 2.2, and 2.7 we obtain 

Theorem 2.8 A function is input-driven-representable in 1AR‘^(W) iff it is 
computable in elementary time. 

®As usual, 2j.(n) is a fc-deep exponential stack of 2’s with n on top: 2o(n) = n; 2j.+l(n) = 
22fc("). 
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A variant of Theorem 2.8, for a combinatory calculus, was proved in [1], using 
a specialization of Schiitte’s ordinal assignment to Godel’s system T [22]. 



3 Poly-time and solitary representation, allowing 
recurrence in all finite types 

We call a term E of 1AR‘^(W) solitary if it is input-driven, and for every 
subterm Xx.F of E, where x is a variable of higher type (i.e. other than o), x 
occurs in F at most once. 

Lemma 3.9 Every poly-time function f over W is deGnabie by composition from 
functions that are solitary -representable in 1AR‘^(W). 

Proof. By Lemma 2.1 / is representable by the composition of input-driven 
terms in lAR(W). Without loss of generality, these terms are normal. By 
structural induction, it is easy to see that normal terms of lAR(W) can use no 
abstraction over higher-order variables, it follows that those terms are solitary. 

H 

The key property of solitary terms is the following straightforward observa- 
tion. 

Lemma 3.10 A /3-reduction for a higher-order variable in a solitary term is 
size-reducing. 

Towards showing that every solitary-representable functions is poly-time we 
will use the following technical result. 



Lemma 3.11 Let E[u;v\ be a solitary 1AR‘^(W) term of type d^ ^ o (r > 0), 
where u = ui, . . . are the recurrence variables occurring in E, each used 

only once, and v = Vi, . . . are the remaining variables, all of type o. Fur- 

ther, assume that E has no occurrence of R^- for r other than o, and whose 
redexes are either Ro-redexes, or of type whose rank is < 1. Then, for every 
ui, . . . ,Ufc, vi, . . . ,Vm,xi, ... ,Xr <E W, the term E =df if[u; v]x reduces to 
normal form within |ui | • |u 2 1 • • • [u^ | • size {E) r steps. 

Proof. By induction on E. The cases where E is one of e, 0, 1, p, or d 

are straightforward. The case where E = Xx.F is trivial from the induction 
assumption applied to F. 

If ifis ofthe form RoMiFoFi (of type o—^o), then if = RoUiif)[u; v]Fi [u; v]x. 
Say Ui is Ui. The convergence property is proved by induction on |ui|. Note 
that by our assumptions on E, u\ is not a recurrence argument in either f o or 
F\. If ui = e, the statement is trivial. If ui = Ow, then E reduces in one step 
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to Fo[u; v]G, where G = Rowi<o[u; v] v]x, and by induction assumption G 
converges to some w e W within (|ui| — 1) • |u 2 | • • • |ufe| ■ size (G) steps. By induc- 
tion assumption for Fq, Fq w reduces to normal form within |u 2 | • • • |ufe| - size (Fq) 
steps. Adding these two values we get the desired bound for F . The case where 
ui = Iw is similar. 

If F is any other term of the form FG, then the conditions on F imply that 
F is of type and G is of type o {r > 0). We have F = v] G[u; v]x. 

By induction assumption G reduces to some w € W within |ui | • • • |ufe| - size (G) 
steps, and then v]wx reduces within |ui| • • • |ufc| ■ size (F) steps. The result 
follows. 

Finally, if E = Xx.F, then the statement of the lemma is trivial by induction 
assumption for F. H 

Lemma 3.12 If a function is solitary-representable in 1AR‘^(W) then it is poly- 
time. 

Proof. Suppose that / is an r-ary function over W representable by Axi , . . . ,x^.F, 
where F is solitary. By Lemma 2.2 we may assume that F is strictly-input- 
driven. By separating variable-occurrences into distinct variables, we may also 
assume, w.l.o.g., that no Xj occurs in F as recurrence argument more than once. 
Let j/i, . . . ,Uq be the xy's used for higher order recurrence, and 2 ^i, . . . ^Zk the 
Xi’s used for recurrence in type o. Given yi, . . . ,yg,zi, ... ,z^ e W, consider 
the term F = {y,z/y, z}F’. Unfolding the higher order recurrences in F can 
be done in time polynomial in |y|, yielding a term F of size polynomial in y. 
By Lemma 3.10 higher order /?-redexes can be eliminated in time bounded by 
the size of F , yielding a smaller term F that satisfies the conditions of Lemma 
3.11. The Lemma follows. H 

Combining Lemmas 3.9 and 3.12 we obtain 

Theorem 3.13 The functions solitary-representable in 1AR“(W) are precisely 
the poly-time functions. 



4 Separated representation and poly-space 



4.1 Representability of poly-space 

If FGi ■ ■ ■ Gj. is a subterm-occurrence in a term F we say that the term- 
occurrences Gi are in the scope of term-occurrence F and of its subterms. We 
call a term E of lAR'^(W) separated if every two occurrences of a variable have 
the same bounded variables in their scope. For example, Xx°^°Xz° .x{x{z)) is 
not separated, because the external occurrence of x has the bounded variable x 
in its scope, whereas the internal one does not. Similarly, {Xy.Xz.x{y{z)))x is 
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not separated, because the first occurrence of x has y and z in its scope, whereas 
the second does not.® 



Lemma 4.14 Every poly-space function is separated-representable in 1AR‘^(W). 

Proof. It is proved in [17] that the functions computable in alternating polyno- 
mial time, i.e. the poly-space functions, are representable using a weak form of 
second-order ramified recurrence (which suffices to capture ramified recurrence 
with parameter substitution). Inspection of that construction shows that the 
terms constructed are in fact separated. H 

4.2 Reductions on separated terms 

Lemma 4.15 If E is separated, and E reduces in one step to E in 1AR‘^(W), 
then E is separated. H 

Consider terms of 1AR‘^(W) represented by their syntax tree, i.e. 1-2 trees 
where leaves are labeled by variables or constants, nodes with out-degree 1 
represent A-abstraction and labeled with the abstracted variable, and nodes 
with out-degree 2 labeled with app and represent application. A /?-reduction 
{Xx.E)E =l> {F/x}E is represented by substituting in the tree of E, for each 
leaf labeled with x, the tree of E with its root node identified with that leaf. 
It is advantageous to refrain from doing the latter, and keeping the root of the 
tree for E as a descendent of the leaf for x: for one, this will preserve the tree 
addresses of internal nodes of E in {F Jx^E. We do this by allowing representing 
tree to have nodes marked with noop.^ Note that in course of a normalization 
sequence of a term, a given address can undergo two sorts of change: (a) from 
being empty (outside the tree) to becoming labeled with a variable, constant, or 
APP; (b) from being labeled, to being marked NOOP. 

In a /3-reduction as above, we call a node in a copy of F in {FJx^E an 
offspring of the corresponding node in the main argument E in {\x.E)E . In 
the course of a reduction sequence, nodes can have an ever increasing number 
of descendents, i.e. offsprings, the offsprings of those, etc. Just as we defined 
separated variables, let us say that two nodes in a syntax tree are separated if 
they have the same bound variables in their scope. We clearly have 

Lemma 4.16 Let E be a separated term that reduces to E ; then the offsprings 
of each node, created by the reduction, are separated, and if a and j3 are sepa- 
rated nodes in E, then each offspring of a in E is separated from every offspring 
of (3 in E . 

®The notion of separated terms is related to Karl-Heinz Niggl’s notion of “scope equiva- 
lence”, see. e.g. [21]. 

^NB: NOOP is an algorithmic device used in the representation of A-terms, and are not part 
of the syntax of the calculus itself. 
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From this we conclude 

Lemma 4.17 If E reduces to E in 1XR‘^(W), and a and /3 are nodes in E that 
are descendents of the same node in E, then they are not on the same branch. 

Proof. By induction on the length of the reduction. Suppose that E satisfies 
the conclusion, and E reduces in one step to E . Suppose that two descendents 
a and /3 of the same node in E are offsprings of oq and /?q respectively, in E , and 
a is above f3 in E . By Lemma 4.16 oq and /?q are separated, and by induction 
assumption they are not on the same branch in E . Thus, the reduction from 
E to E must place the offspring a of oq over j3. This can happen only if the 
eigen-variable of the reduction is in the scope of a in E , but not in the scope 
of /?. This contradicts the separation of a and f3 in E . H 

We conclude 

Lemma 4.18 If a separated term E reduces to E by /3-reductions, then the 
height of the syntax tree of E is bound by the size of E. 

Because addresses in syntax-trees can change their label at most twice in the 
course of a reduction sequence (as noted above). Lemma 4.18 implies 

Lemma 4.19 If E is a separated, then all /3-redexes in E are eliminable in time 
exponential in the size of E. 

Using Lemmas 4.18 and 4.19 we obtain 

Proposition 4.20 There is a linear-space algorithm for eliminating from sep- 
arated terms all j3-redexes. 

Proof. For a separated term E of size n, the algorithm uses a counter A of length 
n for addresses in the syntax-trees of terms (of height < n, i.e. size < 2"'), and 
a counter T for reduction-time (of < 2"' steps). The value returned is the label 
at address A after T reductions. The details are tedious but straightforward. H 

4.3 Poly-space computability of separated-representable 
functions 

Lemma 4.21 Every function separated-representable in IXRA (W) is poly-space. 

Proof. Suppose / is represented by Axi . . .x^.F, where F is separated, whence 
also input-driven. W.l.o.g., E is strictly-input-driven. Given Ui,... ,Uj, G W, 
consider the term E = {u/x}F’. Unfolding all recurrences in E yields a term 
E of height polynomial in |u|, whose local description can be given in poly- 
space. By Proposition 4.20 all redexes in E can be eliminated from E in space 
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linear in the size of F , i.e. polynomial in |u|. The result is a normal term of 
type o, which albeit potentially of length exponential in the input, is bitwise in 
poly-space. H 

Combining Lemmas 4.14 and 4.21 yields 



Theorem 4.22 The functions separated-representable in 1AR‘^(W) are pre- 
cisely the poly-space functions. 



5 Directions for further research 

One obvious project is to further expand the development presented here to 
syntax-restricted characterizations of additional classes, emulating such charac- 
terizations using data ramification. In particular, it seems that the character- 
izations of alternating log-time and of NC by ramified tree recurrence [19, 14] 
can be paralleled to yield analogous results for syntax-restricted recurrence on 
trees. 

One of the benefits of resource-independent characterizations of complexity 
classes is that they generalize to higher type much more easily than machine- 
based definitions of such classes. For instance, we believe that the functionals 
solitary-representable in 1AR‘^(W) form precisely the class BFF. A result anal- 
ogous to the characterization of probabilistic polynomial time in [20] seems also 
to be at hand. 

Most importantly, one would wish to see that the simplicity of the syntactic- 
control approach is put to use in actual implementations of functional program- 
ming languages. All syntactic properties considered here can be trivially checked 
in linear time. As mentioned in the introduction, one might wish to extend 
the applicability of the method by crafting algorithms that automatically factor 
given untyped terms that do not satisfy the syntactic restrictions considered into 
compositions and closures under substitution of terms that do satisfy those re- 
strictions. While such algorithms would not be in linear time, they are still likely 
to be algorithmically more efficient, in both worst-case and average-case, than 
type inference algorithms for ramified systems, in particular ones with modal 
operators. 



References 

[1] Arnold Beckmann and Andreas Weiermann. Characterizing the elementary 
recursive functions by a fragment of Gbdel’s T. Manuscript, www.math.uni- 
muenster.de / math / inst /logik/publ/ pap / 20.html. 

[2] S. Bellantoni. Predicative recursion and the polytime hierarchy. In Peter 
Clote and Jeffery Remmel, editors, Feasible Mathematics II, Perspectives in 
Computer Science, pages 15-29. Birkhauser, 1994. 




94 D. Leivant 



[3] S. Bellantoni and S. Cook. A new recursion-theoretic characterization of 
the poly-time functions. Computational Complexity, 2:97-110, 1992. 

[4] S. Bloch. Functional characterizations of uniform log-depth and polylog- 
depth circuit families. In Proceedings of the Seventh Annual Structure in 
Complexity Theory Conference, pages 193-206. IEEE Computer Society 
Press, 1992. 

[5] A. Cobham. The intrinsic computational difficulty of functions. In Y. Bar- 
Hillel, editor. Proceedings of the International Conference on Logic, Method- 
ology, and Philosophy of Science, pages 24-30. North-Holland, Amsterdam, 
1962. 

[6] W.G. Handley. Bellantoni and Cook’s characterization of polynomial time 
functions. Typescript, August 1992. 

[7] Martin Hofmann. Type systems for polynomial-time computation. Habili- 
tationsschrift, 1998. 

[8] N. Jones. Computability and Complexity from a Programming Perspective. 
MIT Press, Cambridge, MA, 1997. 

[9] D. Leivant. Subrecursion and lambda representation over free algebras. In 
Samuel Buss and Philip Scott, editors. Feasible Mathematics, Perspectives 
in Computer Science, pages 281-291. Birkhauser-Boston, New York, 1990. 

[10] D. Leivant. Stratified functional programs and computational complexity. In 
Conference Record of the Twentieth Annual ACM Symposium on Principles 
of Programming Languages, pages 325-333, New York, 1993. ACM. 

[11] D. Leivant. A foundational delineation of poly-time. Information and Com- 
putation, 1994. (Special issue of selected papers from LICS’91, edited by 
G. Kahn). 

[12] D. Leivant. Ramified recurrence and computational complexity I: Word 
recurrence and poly-time. In Peter Clote and Jeffrey Remmel, editors, Fea- 
sible Mathematics II, pages 320-343. Birkhauser-Boston, New York, 1994. 

[13] D. Leivant. Intrinsic theories and computational complexity. In D. Leivant, 
editor. Logic and Coputational Complexity, volume 960 of LNCS, pages 
177-194. Springer- Verlag, Berlin, 1995. 

[14] D. Leivant. A characterization of NC by tree recurrence. In Thirty Ninth 
Annual Symposium on Foundations of Computer Science (FOCS), pages 
716-724, Los Alamitos, CA, 1998. IEEE Computer Society. 

[15] D. Leivant. Ramified recurrence and computational complexity III: Higher 
type recurrence and elementary complexity. Annals of Pure and Applied 
Logic, 1998. Special issue in honor of Rohit Parikh’s 60th Birthday; editors: 
M. Pitting, R. Ramanujam and K. Georgatos. 




Applicative Control and Computational Complexity 95 



[16] D. Leivant and J.-Y. Marion. Lambda-calculus characterizations of poly- 
time. Fundamenta Informaticae, 19:167-184, 1993. Special Issue: Lambda 
Calculus and Type Theory (editor: J. Tiuryn). 

[17] D. Leivant and J.-Y. Marion. Ramified recurrence and computational com- 
plexity II: substitution and poly-space. In L. Pacholski and J. Tiuryn, 
editors. Proceedings of CSL 94, pages 486-500. LNCS 933, Springer Verlag, 
1995. 

[18] D. Leivant and J.-Y. Marion. Ramified recurrence and computational com- 
plexity IV: Predicative functionals and poly-space. Information and Com- 
putation, 1999. 

[19] D. Leivant and J.-Y. Marion. Ramified recurrence and computational com- 
plexity V : linear tree recurrence and alternating log-time. Theoretical Com- 
puter Science, 1999. Special issue for CAAP’98, editor: M. Duachet. 

[20] J. Mitchell, M. Mithcell, and A. Scedrov. A linguistic characterization of 
bounded oracle computation and probabilistic polynomial time. In Thirty 
Ninth Annual Symposium on Foundations of Computer Scienee (FOCS), 
pages 725-733, Los Alamitos, CA, 1998. IEEE Computer Society. 

[21] K.-H. Niggl S. Bellantoni and H. Schwichtenberg. Higher type ramification 
and polynomial time, manuscript, to appear, 1999. 

[22] Kurt Schiitte. Proof Theory. Springer- Verlag, 1977. 



[23] H. Simmons. The realm of primitive recursion. Archive for Mathematical 
Logic, 27:177-188, 1988. 




Applying Rewriting Techniques to the 
Verification of Erlang Processes 



Thomas Arts^ and Jurgen Giesl^ 

^ Computer Science Laboratory, Ericsson Utvecklings AB, Box 1505, 125 25 Alvsjo, 
Sweden, E-mail: thomasQcslab.ericsson.se 
^ Dept, of Computer Science, Darmstadt University of Technology, Alexanderstr. 10, 
64283 Darmstadt, Germany, E-mail: gieslQinformatik.tu-darmstadt.de 

Abstract. Erlang is a functional programming language developed by 
Ericsson Telecom which is particularly well suited for implementing con- 
current processes. In this paper we show how methods from the area 
of term rewriting are presently used at Ericsson. To verify properties of 
processes, such a property is transformed into a termination problem of 
a conditional term rewriting system (CTRS). Subsequently, this termi- 
nation proof can be performed automatically using dependency pairs. 

The paper illustrates how the dependency pair technique can be applied 
for termination proofs of conditional TRSs. Secondly, we present two 
refinements of this technique, viz. narrowing and rewriting dependency 
pairs. These refinements are not only of use in the industrial application 
sketched in this paper, but they are generally applicable to arbitrary 
(C)TRSs. Thus, in this way dependency pairs can be used to prove ter- 
mination of even more (C)TRSs automatically. 

Keywords: program verification, rewriting, termination, automated de- 
duction 

1 Introduction 

In a patent application [HN99], Ericsson developed a new protocol for distri- 
buted telecommunication processes. This paper originates from an attempt to 
verify this protocol’s implementation written in Erlang. To save resources and 
to increase reliability, the aim was to perform as much as possible of this verifi- 
cation automatically. Model checking techniques were not applicable, since the 
property to be proved requires the consideration of the infinite state space of the 
process. A user guided approach based on theorem proving was successful, but 
very labour intensive [AD99]. We describe one of the properties which had to be ve- 
rified in Sect. 2 and show that it can be represented as a non-trivial termination 
problem of a CTRS. But standard techniques (see e.g. [Der87,Ste95,DH95]) and 
even recent advances like the dependency pair technique [AG97a,AG97b,AG98, 
AG99] could not perform the required termination proof automatically. 

In Sect. 3 we show that termination problems of CTRSs can be reduced to 
termination problems of unconditional TRSs. After recapitulating the basic no- 
tions of dependency pairs in Sect. 4, we present two important extensions, viz. 
narrowing (Sect. 5) and rewriting dependency pairs (Sect. 6) which are particu- 
larly useful in the context of CTRSs. With these refinements, the dependency 
pair approach could solve the process verification problem automatically. 
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2 A Process Verification Problem 

We have to prove properties of a process in a network. The process receives 
messages which consist of a list of data items and an integer M. For every item 
in the list, the process computes a new list of data items. For example, the data 
items could be telephone numbers and the process could generate a list of calls to 
that number on a certain date. The resulting list may have arbitrary length, in- 
cluding zero. The integer M in the message indicates how many items of the newly 
computed list should be sent to the next process. The restriction on the number 
of items that may be sent out is imposed for practical optimization reasons. 

Of course, the process may have computed more than M new items and in that 
case, it stores the remaining answers in an accumulator (implemented by an extra 
argument Store of the process) . However, whenever it has sent the first M items to 
the next process, our process may receive a new message. To respond to the new 
message, the process first checks whether its store already contains at least M 
items. In this case, it sends the first M items from its store and depending on the 
incoming message, probably some new items are computed afterwards. Other- 
wise, if the store contains fewer than M items, then the next process has to wait 
until the new items are computed. After this computation, the first M items from 
the newly obtained item list and the store are sent on to the next process. Again, 
those items that our process could not send out are stored in its accumulator. 

Finally, in order to empty the store, the empty list is sent to our process 
repeatedly. In the end, so is the claim, this process will send the empty list as 
well. This article describes how we are able to formally and automatically verify 
this claim. The Erlang code is given below (because of space limitations the code 
for obvious library functions like append and leq is not presented). 

processCNextPid, Store) -> 
receive {items, M} -> 
case leq(M, length(Store) ) of 
true -> {ToSend,ToStore} = split(M,Store) , 

NextPid! {ToSend,M} , 

process (NextPid, append (map _f (self () , Items) ,ToStore) ) ; 
false ->{ToSend,ToStore} = split (M, append(map_f (self (), Items) , Store) ) , 
NextPid! {ToSend,M} , 
process (NextPid,ToStore) 

end 
end . 

map_f (Pid,nil) -> nil; 

map_f (Pid, cons (H,T) ) -> append(f (Pid,H) ,map_f (Pid,T) ) . 

For a list L, split(M,L) returns a pair of lists |Li ,L2} where Li contains the 
first M elements (or L if its length is shorter than M) and L2 contains the rest of L. 
The command ‘ I ’ denotes the sending of data and NextPid! {ToSend,M} stands 
for sending the items ToSend and the integer M to the process with the identifier 
NextPid. A process can obtain its own identifier by calling the function self () . 
For every item in the list Items, the function map_f (Pid, Items) computes new 
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data items by means of the function f (Pid, Item) . So the actual computation 
that f performs depends on the process identifier Pid. Hence, to compute new 
data items for the incoming Items, our process has to pass its own identifier to 
the function map_f , i.e., it calls map_f (self () , Items) . 

Note that this process itself is not a terminating function: in fact, it has been 
designed to be non-terminating. Our aim is not to prove its termination, but to 
verify a certain property, which can be expressed in terms of termination. As 
part of the correctness proof of the software, we have to prove that if the process 
continuously receives the message {niI,M} for any integer M, then eventually 
the process will send the message {niI,M} as well. This property must hold 
independent of the value of the store and of the way in which new data items 
are generated from given ones. Therefore, f has been left unspecified, i.e., f may 
be any terminating function which returns a list of arbitrary length. 

The framework of term rewriting [DJ90,BN98] is very useful for this verifica- 
tion. We prove the desired property by constructing a CTRS containing a binary 
function process whose arguments represent the stored data items Store and the 
integer M sent in the messages. In this example, we may abstract from the process 
communication. Thus, the Erlang function self () becomes a constant and we 
drop the send command ( ! ) and the argument NextPid in the CTRS. Since we 
assume that the process constantly receives the message {niI,M}, we hard-code 
it into the CTRS. Thus, the variable Items is replaced by nil. As we still want 
to reason about the variable M, we added it to the arguments of the process. To 
model the function split (which returns a pair of lists) in the CTRS, we use 
separate functions fstsplit and sndsplit for the two components of split’s result. 
Now the idea is to force the function process to terminate if ToSend is the empty 
list nil. So we only continue the computation if application of the function empty 
to the result of fstsplit yields false. Thus, if all evaluations w.r.t. this CTRS 
terminate, then the original process eventually outputs the demanded value. 



Ieq(m, length(store)) — ^ true, empty(fstsplit(m, store)) false | 

process(store, m) — ^ process(app(map_f(self, nil), sndsplit(m, store)), m) (1) 

leq(m, length(store)) — false, empty(fstsplit(m, app(map_f(self, nil), store))) — )■* false | 
process(store, m) — ^ process(sndsplit(m,app(map_f(self, nil), store)), m) (2) 

The auxiliary Erlang functions as well as the functions for empty, fstsplit, and 
sndsplit are straightforwardly expressed by unconditional rewrite rules. 



length(nil) — ^ 0 sndsplit(0, x) — ^ x 

length(cons(/j, t)) — ^ s(length(t)) sndsplit(s(n), nil) — ^ nil 

fstsplit(0, x) — ^ nil sndsplit(s(n), cons(/i, t)) — ^ sndsplit(n, t) 

fstsplit(s(n), nil) — ^ nil empty(nil) — ^ true 

fstsplit(s(n), cons(/i, t)) — ^ cons(/i, fstsplit(n, t)) empty(cons(/j, t)) false 
app(nil, x) — ^ X leq(0, m) — ^ true 

app(cons(/j, t), x) — ^ cons(/i, app(t, x)) leq(s(n),0) false 

map_f(ptct, nil) — ^ nil leq(s(n), s(m)) — ^ leq(n,m) 

map_f(pid, cons(/i, t)) — ^ app(f(pid, ti), map_f(pi(t, t)) 
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The rules for the Erlang function f are not specified, since we have to verify 
the desired property for any terminating function f. However, as Erlang has 
an eager (call-by-value) evaluation strategy, if a terminating Erlang function 
f is straightforwardly transformed into a (C)TRS (such as the above library 
functions), then any evaluation w.r.t. these rules is finite. Now to prove the 
desired property of the Erlang process, we have to show that the whole CTRS 
with all its extra rules for the auxiliary functions only permits finite evaluations. 

The construction of the above CTRS is rather straightforward, but it pre- 
supposes an understanding of the program and the verification problem and 
therefore it can hardly be mechanized. But after obtaining the CTRS, the proof 
that any evaluation w.r.t. this CTRS is finite should be done automatically. 

In this paper we describe an extension of the dependency pair technique 
which can perform such automatic proofs. Moreover, this extension is of general 
use for termination proofs of TRSs and CTRSs. Hence, our results significantly 
increase the class of systems where termination can be shown mechanically. 

3 Termination of Conditional Term Rewriting Systems 

A CTRS is a TRS where conditions si = ti, . . . , s„ = may be added to rewrite 
rules I — ^ r. In this paper, we restrict ourselves to CTRSs where all variables 
in the conditions Si,ti also occur in 1. Depending on the interpretation of the 
equality sign in the conditions, different rewrite relations can be associated with 
a CTRS, cf. e.g. [Kap84,BK86,DOS88,BG89,DO90,Mid93,Gra94,SMI95,Gra96a, 
Gra96b]. In our verification example, we transformed the problem into an ori- 
ented GTRS [SMI95], where the equality signs in conditions of rewrite rules are 
interpreted as reachability (— ^ ). Thus, we denote rewrite rules by 

Si ^ ti, . . . , Sn ^ tn \ I ^ r. (3) 

In fact, we even have a normal GTRS, because all ti are ground normal forms 
w.r.t. the TRS which results from dropping all conditions. 

A reduction of C[la] to G[r(j] with rule (3) is only possible if SiO reduces to 
Ua for all 1 < i < n. Eormally, the rewrite relation — ^7^ of a GTRS TZ can be 
defined as —^7?,= , where TZq = 0 and TZj+i = {lo' — ^ ra \ Sicr —^7^. tiO 

for all 1 < i < n and some rule (3) in 7?.}, cf. e.g. [Mid93,Gra96b]. 

A GTRS TZ is terminating iff —^7^ is well founded. But termination is not 
enough to ensure that every evaluation with a CTRS is finite. For example, 
assume that evaluation of the condition leq(m, length (store)) in our CTRS would 
require the reduction of process(store, m). Then evaluation of process(store, m) 
would yield an infinite computation. Nevertheless, process(store, m) could not 
be rewritten further and thus, the CTRS would be terminating. But in this case, 
the desired property would not hold for the original Erlang process, because this 
would correspond to a deadlock situation where no messages are sent out at all. 

For that reason, instead of termination one is often much more interested in 
decreasing CTRSs [DOS88]. In this paper, we use a slightly modified notion of 
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decreasingness, because in our evaluation strategy conditions are checked from 
left to right, cf. [WG94], Thus, the i-th condition Sj — ^ is only checked if all 

previous conditions sj — ^ tj for 1 < j < i hold. 

Definition 1 (Left-Right Decreeising). A CTRS TZ is left-right decreasing 
if there exists a well-founded relation > containing the rewrite relation o-nd 
the subterm relation > sueh that la > Sia holds for all rules like (3), all i G 
,n], and all substitutions a where SjU tja for all j e {1, . . . ,i — 1}. 

This definition of left-right decreasingness exactly captures the finiteness 
of recursive evaluation of terms. (Obviously, decreasingness implies left-right 
decreasingness, but not vice versa.) Hence, now our aim is to prove that the 
CTRS corresponding to the Erlang process is left-right decreasing. 

A standard approach for proving termination of a CTRS TZ is to verify ter- 
mination of the TRS TZ which results from dropping all conditions (and for 
decreasingness one has to impose some additional demands). But this approach 
fails for CTRSs where the conditions are necessary to ensure termination. This 
also happens in our example, because without the conditions empty(. . .) — ^ false 
the CTRS is no longer terminating (and thus, not left-right decreasing either). 

A solution for this problem is to transform CTRSs into unconditional TRSs, 
cf. [DP87,CM87,Mar96]. For unconditional rules, let tr( / — ^ r ) = {/ — ^ r}. If (f 
is a conditional rule, i.e., (^ = ‘si — ^ ti, . . . , Sn ^ | ^ r’, we define tr(<^) = 

{I 'di,4,{x, si) } U {ifi,^(x, ti) \U+i,4,{x, Si+i) I 1 < i < n} U {if„,^(x, t„) r}, 

where x is the tuple of all variables in I and the if’s are new function symbols. 
To ease readability we often just write if„ for some n G IN where if„ is a function 
symbol which has not been used before. 

Let TZ^'^ ~ 4 , u tr{4>). For CTRSs without extra variables, TZ^’^ is indeed an 

(unconditional) TRS. (An extension to deterministic CTRSs [BC89] with extra 
variables is also possible.) The transformation of Rule (1) results in 

process(store, m) — ^ ifi(store, m, leq(m, length(store))) (4) 

ifi (store, m, true) if 2 (store, m, empty(fstsplit(m, store))) (5) 

if 2 (store, m, false) — ^ process(app(map_f(self, nil), sndsplit(m, store)), m). (6) 

Now we aim to prove termination of 7?,*'' instead of TZ’s left-right decreasingness. 

In [CM87], this transformation is restricted to a limited class of convergent 
CTRSs. However, in the following we show that for our purpose this restriction 
is not necessary. In other words, termination of 7?.*'’ indeed implies left-right 
decreasingness (and thus also termination) of TZ. Thus, this transformation is a 
generally applicable technique to reduce the termination problem of CTRSs to a 
termination problem of unconditional TRSs. (A similar approach was presented 
in [Mar96] for decreasingness proofs (instead of left-right decreasingness) by 
using a transformation where all conditions of a rule have to be checked in 
parallel.) We first prove that any reduction with TZ can be simulated by 7?,*'’. 

Lemma 1. Let q, q be terms without IPs. If q — q , then q — q ■ 
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Proof. There must be a j e IN such that q q {j is the depth of the 

reduction). We prove the theorem by induction on the depth and the length of 
the reduction q — q (i.e., we use a lexicographic induction relation). 

The reduction has the form q p — q and by the induction hypothesis 
we know p — t.^tr q ■ Thus, it suffices to prove q — P- 

If the reduction q — p is done with an unconditional rule of TZ, then the 
conjecture is trivial. Otherwise, we must have q = C[la], p = G[ra] for some 
context G and some rule like (3). As the depth of the reductions SiU — pa is 
less than the depth of the reduction q — q , by the induction hypothesis we 
have SjU — tia. This implies q — P- □ 

Now the desired result is a direct consequence of Lemma 1. 

Corollary 1 (Left-Right Decreasing of TZ by Termination of 7?,*'^). IfTZ^^ 
is terminating, then TZ is left-right decreasing (and thus, it is also terminating) . 

Proof If — is well founded, then U> and hence, the transitive closure 
(— U>)+ are well founded, too. By Lemma 1, this relation satisfies all condi- 
tions imposed on the relation > in Def. 1. Hence, TZ is left-right decreasing. □ 

In our example, the conditional rule (2) is transformed into three additional 
unconditional rules. But apart from the if-root symbol of the right-hand side, the 
first of these rules is identical to (4). Thus, we obtain two overlapping rules in 
the transformed TRS which correspond to the overlapping conditional rules (1) 
and (2). However, in the CTRS this critical pair is infeasible [DOS88], i.e., the 
conditions of both rules exclude each other. Thus, our transformation of CTRSs 
into TRSs sometimes introduces unnecessary rules and overlap. 

Therefore, whenever we construct a rule of the form q — ^ iffe(t) and there 
already exists a rule q — ^ dn{t), then we identify iR and if„. This does not affect 
the soundness of our approach, because termination of a TRS where all occur- 
rences of a symbol g are substituted by a symbol / with the same arity always 
implies termination of the original TRS.^ Thus, we obtain the additional rules: 

ifi (store, m, false) — ^ if3(store, m, empty(fstsplit(m, app(map_f(self, nil), store)))) ( 7 ) 
if3(store, m, false) — ^ process(sndsplit(m, app(map_f( self, nil), store)), m) (8) 

If termination of a CTRS depends on its conditions, then in general termi- 
nation of the transformed TRS can only be shown if one examines which terms 
may follow each other in a reduction. However, in the classical approaches based 
on simplification orderings (cf. e.g. [Der87,Ste95]), such considerations do not 
take place. Hence, they fail in proving the termination of (4)- (8). For this rea- 
son, such transformations into unconditional TRSs have rarely been applied for 

^ This possibility to eliminate unnecessary overlap is an advantage of our transfor- 
mation compared to the one of [Mar96], where the transformed unconditional TRSs 
remain overlapping. In practice, proving termination of non-overlapping TRSs is 
significantly easier, since one may use techniques specifically tailored to innermost 
termination proofs, see below. 
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termination (or decreasingness) proofs of CTRSs. However, we will demonstrate 
that with the dependency pair approach this transformation is very useful. 

To verify our original goal, we now have to prove termination of the transfor- 
med TRS which consists of (4)-(8), the rules for all auxiliary (library) functions 
from Sect. 2, and the (unknown) rules for the unspecified function f. Note that if 
an Erlang function is straightforwardly transformed into a TRS, then this TRS is 
non-overlapping. Thus, we assume that all possible rules for the unspecified fun- 
ction f are non-overlapping as well. Then it is sufficient just to prove innermost 
termination of the resulting TRS, cf. e.g. [Gra95]. In order to apply verification 
on a large scale, the aim is to perform such proofs automatically. Extending the 
dependency pair technique makes this possible. 

4 Dependency Pairs 

Dependency pairs allow the use of existing techniques like simplification orde- 
rings for automated termination and innermost termination proofs where they 
were not applicable before. In this section we briefly recapitulate the basic con- 
cepts of this approach and we present the theorems that we need for the rest of 
the paper. For further details and explanations see [AG97b,AG98,AG99]. 

In contrast to the standard approaches for termination proofs, which compare 
left and right-hand sides of rules, we only examine those subterms that are 
responsible for starting new reductions. For that purpose we concentrate on 
the subterms in the right-hand sides of rules that have a defined^ root symbol, 
because these are the only terms a rewrite rule can ever be applied to. 

More precisely, for every rule /(si, . . . , s„) — ^ C[g{ti , . . . , tm)] (where / and g 
are defined symbols), we compare the argument tuples si, . . . , and ti, ... ,tm. 
To avoid the handling of tuples, for every defined symbol / we introduce a 
fresh tuple symbol F. To ease readability, we assume that the original signature 
consists of lower case function symbols only, whereas the tuple symbols are 
denoted by the corresponding upper case symbols. Now instead of the tuples 
si, . . . , s„ and fi, . . . , we compare the terms F{si , . . . , s„) and G{ti , . . . , t^). 

Definition 2 (Dependency Pair). If f {si, ■■■, Sn) — ^ G[g{ti, . . . ,tm)] € TZ 
and g is defined, then {F{si , . . . , Sn),G{t\, . . . ,tm)) is a dependency pair ofTZ. 

For the rules (4)-(8), (besides others) we obtain the following dependency pairs. 

(PROCESS(sfore, rn), IFi(sfore, m, leq(m, length(sfore)))) (9) 

(IFi(sfore, m,true), IF 2 (sfore, m, empty(fstsplit(m, store)))) (10) 

(IF 2 (store, m, false), PROCESS(app(map_f(self, nil), sndsplit(m, store)), rn)) (11) 
( I Fi (store, m, false) , I F 3 (store, m, empty(fstsplit(m, app(map_f(self, nil), store))))) ( 12 ) 
( I F 3 (store, rn, false), PROCESS(sndsplit(m, app(map_f(self, nil), store)), rn)) (13) 

To trace newly introduced redexes in an innermost reduction, we consider 
special sequences of dependency pairs, so-called innermost chains. 

^ Root symbols of left-hand sides are defined and all other functions are constructors. 
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Definition 3 (Innermost 7?,-chains). Let TZ be a TRS. A sequenee of depen- 
deney pairs {s\A\) {S 2 A 2 ) • • • is ealled an innermost 7?.-chain if there exists a 
substitution a, sueh that all sja are in normal form and tja A- 7 ?, Sj+ic holds 
for every two conseeutive pairs {sj,tj) and (sj+i,tj+i) in the sequence. 

We always assume that different (occurrences of) dependency pairs have 
disjoint variables and we always regard substitutions whose domains may be 
infinite. In [AG97b] we showed that the absence of infinite innermost chains is 
a (sufficient and necessary) criterion for innermost termination. To improve this 
criterion we introduced the following graph which contains arcs between all those 
dependency pairs which may follow each other in innermost chains. 

Definition 4 (Estimated Innermost Dependency Graph). Let CA? ft) re- 
sult from t by replacing all subterms with defined root symbols by different fresh 
variables. The estimated innermost dependency graph is the directed graph whose 
nodes are the dependeney pairs and there is an arc from {s,t) to {v,w) iffcAP{t) 
and V are unifiable by a mgu p where sp and vp are normal forms. A non-empty 
set V of dependency pairs is called a cycle iff for all (s, t), {v, w) G V, there is a 
path from {s,t) to {v,w) in this graph, which only traverses pairs from V. 

In our example, (besides others) there are arcs from (9) to (10) and (12), 
from (10) to (11), from (12) to (13), and from both (11) and (13) to (9). 
Thus, the dependency pairs (9)-(13) form the cycles V\ = {(9), (10), (11)}, 
V 2 = {(9), (12), (13)}, and P 3 = {(9), (10), (11), (12), (13)}. However, (9)-(13) 
are not on a cycle with any other dependency pair (e.g., dependency pairs from 
the rules of the auxiliary library functions or the unspecified function f, since we 
assume that f does not call process). This leads to the following refined criterion. 

Theorem 1 (Innermost Termination Criterion). A finite TRS TZ is in- 
nermost terminating iff for each cycle 'P in the estimated innermost dependency 
graph there exists no infinite innermost TZ-chain of dependency pairs from P. 

Note that in our definition, a cycle is a set of dependency pairs. Thus, for 
a finite TRS there only exist finitely many cycles P. The automation of the 
technique is based on the generation of inequalities. For every cycle 'P we search 
for a well-founded quasi-ordering satisfying s >p t for all dependency pairs 
(s,t) in P. Moreover, for at least one (s,t) in P we demand s >p t. In addition, 
to ensure ta >p va whenever ta reduces to va (for consecutive pairs (s,t) and 
(u,w)), we have to demand I >p r for all those rules / — ^ r of the TRS that 
may be used in this reduction. As we restrict ourselves to normal substitutions 
a, not all rules are usable in a reduction of ta. In general, if t contains a defined 
symbol /, then all /-rules are usable and moreover, all rules that are usable for 
right-hand sides of /-rules are also usable for t. Now we obtain the following 
theorem for automated^ innermost termination proofs. 

Theorem 2 (Innermost Termination Proofs). A finite TRS is innermost 
terminating if for eaeh eyele P there is a well-founded weakly monotonie quasi- 
ordering >p where both >p and >p are elosed under substitution, such that 
® Additional refinements for the automation can be found in [AG97b,AG99]. 
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• ^ for all rules I — that are usable for some t with {s,t) e V, 

• s >v t for all dependency pairs {s,t) from V, and 

• s >'p t for at least one dependency pair {s,t) from V. 

Note that for Thm. 1 and 2 it is crucial to consider all cycles V, not just the 
minimal ones (which contain no other cycles as proper subsets). 

In Sect. 2 we presented the rules for the auxiliary functions in our example. 
Proving absence of infinite innermost chains for the cycles of their dependency 
pairs is very straightforward using Thm. 2. (So all library functions of our TRS 
are innermost terminating.) Moreover, as we assumed f to be a terminating 
function, its cycles do not lead to infinite innermost chains either. 

Recall that (9)-(13) are not on cycles together with the remaining depen- 
dency pairs. Thus, what is left for verifying the desired property is proving 
absence of infinite innermost chains for the cycles V\,V 2 ,V^, where all rules of 
the whole TRS are possible candidates for being usable rules (also the rules for 
the unspecified function f). 

Thm. 2 demands s >-p t resp. s >-p t for dependency pairs (s, t) on cycles. Ho- 
wever for (9)-(13), these inequalities are not satisfied by any quasi-simplification 
ordering.^ Thus, the automated proof fails here. Moreover, it is unclear which 
inequalities we have to add for the usable rules, since the rules for f are not 
given. Therefore, we have to extend the dependency pair technique. 

5 Narrowing Dependency Pairs 

To prove the absence of infinite innermost chains, for a dependency pair {v,w) it 
would be sufficient to demand va >-p wo resp. vo >-p wc just for those instantia- 
tions o where an instantiated right component to of a previous dependency pair 
(s, t) reduces to vo. For example, (11) only has to be regarded for instantiations o 
where the instantiated right component IF 2 (store, m,empty(fstsplit(m, store)))o 
of (10) reduces to the instantiated left component I F 2 (store, m,false)CT of (11). 
In fact, this can only happen if store is not empty, i.e., if store reduces to the 
form cons(/j,t). However, this observation has not been used in the inequalities 
of Thm. 2 and hence, we could not find an ordering for them. Thus, the idea is 
to perform the computation of empty on the level of the dependency pair. For 
that purpose the well-known concept of narrowing is extended to pairs of terms. 

Definition 5 (Nenrowing Pairs). If a term t narrows to a term t via the 
substitution p, then the pair of terms {s,t) narrows to the pair {sp.t ). 

For example, the narrowings of the dependency pair (10) are 

(IFi(x,0,true), IF 2 (x, 0, empty(nil))) (10a) 

(IFi(nil,s(n), true), IF 2 (nil, s(n), empty(nil))) (10b) 

(IFi(cons(/j, t), s(n), true), IF 2 (cons(/i, t), s(n), empty (cons(/i, fstsplit (n,t))))). (10c) 

^ Essentially, the reason is that the left-hand side of dependency pair (9) is embedded 
in the right-hand sides of the pairs (11) and (13). 
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Thus, if a dependency pair (s, t) is followed by some dependency pairs (u, w) 
in an innermost chain and if t is not already uniliable with v (i.e., at least one 
rule is needed to reduce ta to va), then in order to ‘approximate’ the possible 
reductions of ta we may replace (s, t) by all its narrowings. Hence, we can replace 
the dependency pair (10) by the new pairs (lOa)-(lOc). 

This enables us to extract necessary information from the last arguments of 
if’s, i.e., from the former conditions of the CTRS. Thus, the narrowing refinement 
is the main reason why the transformation of CTRSs into TRSs is useful when 
analyzing the termination behaviour with dependency pairs. The number of 
narrowings for a pair is finite (up to variable renaming) and it can easily be 
computed automatically. The soundness of this technique is proved in [AG99]. 

Theorem 3 (Narrowing Refinement). Let V be a set of pairs of terms and 
let {s,t) G V sueh that Var{t) C Var(s) and sueh that for all (renamings of) 
{v,w) G V, the terms t and v are not unifiable. LetV result from V by replacing 
{s,t) by all its narrowings. If there exists no infinite innermost chain of pairs 
from V , then there exists no infinite innermost chain of pairs from V either. 

So we may always replace a dependency pair by all its narrowings. Howe- 
ver, while this refinement is sound, in general it destroys the necessity of our 
innermost termination criterion in Thm. 1. For example, the TRS with the ru- 
les f(s(x)) — ^ f(g(h(x))), g(h(x)) — ^ g(x), g(0) — ^ s(0), h(0) — ^ 1 is innermost 
terminating. But if the dependency pair (F(s(x)), F(g(h(x)))) is replaced by its 
narrowings (F(s(0)), F(g(l))) and (F(s(x)), F(g(x))), then (F(s(x)), F(g(x))) forms 
an infinite innermost chain (using the instantiation {x/0}). 

Nevertheless, in the application domain of process verification, we can re- 
strict ourselves to non- overlapping TRSs. The following theorem shows that for 
these TRSs, narrowing dependency pairs indeed is a completeness preserving 
technique. More precisely, whenever innermost termination can be proved with 
the pairs V, then it can also be proved with the pairs V ■ 

Theorem 4 (Narrowing Dependency Pairs Preserves Completeness). 

Let TZ be an innermost terminating non- overlapping TRS and let V, V be as 
in Thm. 3. If there exists no infinite innermost IZ-ehain of pairs from V , then 
there exists no infinite innermost IZ-ehain of pairs from V either. 

Proof. We show that every innermost 7?,-chain . . . (t>i, wi) (s , t ) (u 2 , W 2 ) . . . from 
P can be transformed into an innermost chain from P of same length. There 
must be a substitution a such that for all pairs the instantiated left-hand side is 
a normal form and the instantiated right-hand side reduces to the instantiated 
left-hand side of the next pair in the innermost chain. So in particular we have 

vjia s a and t a U 2 CT. 

We know that (s, t) narrows to (s , t ) via a substitution p. As the variables in 
(s, t) are disjoint from all other variables, we may extend a to ‘behave’ like pa on 

the variables of s and t. Then we have sa = spa = s a and hence, w\a -G.^ sa. 
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Moreover, by the definition of narrowing, . This implies t/xcr o 

and as ta = t/nr, we have ta t a V 2 cr where V 2 cr is a normal form. As 
TZ is innermost terminating and non-overlapping, it is convergent. Thus, every 
term has a unique normal form and hence, repeated application of innermost 
reduction steps to ta also yields the normal form V 2 a, i.e., ta V 2 a. 

Thus, . . . (t'i,wi) (s,t) {v 2 ,W 2 ) ... is also an innermost 7?.-chain. □ 

Hence, independent of the technique used to check the absence of infinite 
innermost chains, narrowing dependency pairs can never destroy the success of 
the innermost termination proof. Moreover, narrowing can of course be repeated 
an arbitrary number of times. Thus, after replacing (10) by (lOa)-(lOc), we may 
subsequently replace (10a) and (10b) by their respective narrowings. 

(IFi(x, 0, true), Ip2(x, 0, true)) (lOaa) 

(IFi(nil,s(n),true), IF2(nil, s(n), true)) (lOba) 

This excludes them from being on a cyele in the estimated innermost depen- 
dency graph. Thus, now instead of the dependency pairs (9)-(13) we consider 
(9), (10c), (11), (12), and (13). A further narrowing of (10c) is not necessary 
for our purposes (but according to Thm. 4 it would not harm either). The right 
component of the dependency pair (11) unifies with the left component of (9) 
and therefore, (11) must not be narrowed. Instead we narrow (9). 

(PROCESS(nil, m), IFi(nil, m, leq(m, 0))) (9a) 

(PROCESS(cons(/j, t),m), IFi(cons(/i, t), m, leq(m, s(length(t))))) (9b) 

(PROCESS (store, 0), I Fi (store, 0, true)) (9c) 

By narrowing (10) to (10c), we determined that we only have to regard instan- 
tiations where store has the form cons(/j,t) and m has the form s(n). Thus, (9a) 
and (9c) do not occur on a cycle and therefore, (9) can be replaced by (9b) only. 

As (ll)’s right component does not unify with left components any longer, 
we may now narrow (11) as well. By repeated narrowing steps and by dropping 
those pairs which do not occur on cycles, (11) can be replaeed by 

(IF2(cons(/j, t), s(n), false), PROCESS(sndsplit(n, t), s(n))) (llaac) 

(IF2(cons(/j, t),s(n), false), PROCESS(app(nil, sndsplit(n, t)),s(n))) (Had) 

(IF2(cons(/j, t), s(n), false), PROCESS(app(map_f(self, nil), sndsplit(n, t)), s(n))) (Hd) 

Now for the cycle Vi, it is (for example) sufficient to demand that (llaac), 
(Had), and (Hd) are strictly decreasing and that (9b), (10c), and all usable 
rules are weakly decreasing. Similar narrowings can also be applied for the pairs 
(12) and (13) which results in analogous inequalities for the eycles V 2 and Vs- 

Most standard orderings amenable to automation are strongly monotonic 
path orderings (cf. e.g. [Der87,Ste95]), whereas here we only need weak monoto- 
nieity. Hence, before synthesizing a suitable ordering, some of the arguments of 
function symbols may be eliminated, cf. [AG99]. For example, in our inequalities 
one may eliminate the third argument of IF 2 . Then every term IF 2 (ti, ^ 2 , fs) in 
the inequalities is replaced by IF 2 (ti,t 2 ) (where IF 2 is a new binary function 
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symbol) . By comparing the terms resulting from this replacement instead of the 
original terms, we can take advantage of the fact that IF2 does not have to be 
strongly monotonic in its third argument. Similarly, in our example we will also 
eliminate the third arguments of IF^ and IF3 and the first argument of sndsplit. 
Note that there are only finitely many (and only few) possibilities to eliminate 
arguments of function symbols. Therefore all these possibilities can be checked 
automatically. In this way, the recursive path ordering (rpo) satisfies the inequa- 
lities for (llaac), (9b), (10c), for the dependency pairs resulting from (12) and 
(13), and for all (known) usable rules. However, the inequalities resulting from 
(Had) and (lid) 

IF2(cons(/j, t), s(n)) > PROCESS(app(nil, sndsplit (t)),s(n)) 

IF2 (cons(/j, t), s(n)) > PROCESS(app(map_f(self, nil), sndsplit (t)),s(n)) 

are not satisfied because of the app-terms on the right-hand sides (as the app-rule 
forces app to be greater than cons in the precedence of the rpo). Moreover, the 
map_f-term in the inequalities requires us to consider the usable rules correspon- 
ding to the (unspecified) Erlang function f as well. 

To get rid of these terms, one would like to perform narrowing on map_f and 
app. However, in general narrowing only some subterms of right components is 
unsound.® Instead, we always have to replace a pair by all its narrowings. But 
then narrowing (Had) and (Hd) provides no solution here, since narrowing the 
sndsplit-subterm results in pairs containing problematic app- and map_f-terms 
again. In the next section we describe a technique which solves the above pro- 
blem. 

6 Rewriting Dependency Pairs 

While performing only some narrowing steps is unsound, for non-overlapping 
TRSs it is at least sound to perform only one of the possible rewrite steps.® So if 
t ^ r, then we may replace a dependency pair (s, t) by (s, r). Note that this tech- 
nique is only applicable to dependency pairs, but not to rules of the TRS. Indeed, 
by reducing the right-hand side of a rule, a non (innermost) terminating TRS 
can be transformed into a terminating one, even if the TRS is non-overlapping. 
As an example regard the TRS with the rules 0 — ^ f(0), f(x) — ^ 1 which is clearly 
not innermost terminating. However, if the right-hand side of the first rule is 
rewritten to 1, then the resulting TRS is terminating. The following theorem 
proves that our refinement of the dependency pair approach is sound. 

® As an example regard the TRS f(0, 1) — )■ s(l), f(x, 0) — )■ 1, a — > 0, and g(s(j/)) — 
g(f(a,j/)). If we would replace the dependency pair (G(s(j/)), G(f(a, j/))) by only one 
of its narrowings, viz. (G(s(0)), G(l)), then one could falsely prove innermost termi- 
nation, although the term g(s(l)) starts an infinite innermost reduction. 

® Combining narrowing and rewriting is common in normal narrowing strategies to 
solve A-unification problems [Fay79,Han94]. However, in contrast to our approach, 
normal narrowing is only used for convergent TRSs and instead of performing one 
(or arbitrary) many rewrite steps, there one rewrites terms to normal forms. 
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Theorem 5 (Rewriting Dependency Pairs). Let TZ be non- overlapping and 
let V he a set of pairs of terms. Let (s, t) e V , let t —^ 7 ^ r and let V result from 
V by replaeing {s,t) by {s,r). If there exists no infinite innermost chain of pairs 
from V , then there exists no infinite innermost chain from V either. 

Proof. By replacing all (renamed) occurrences of (s,t) with the corresponding 
renamed occurrences of (s,r), every innermost chain . . . (s,t) {v,w) . . . from V 
can be translated into an innermost chain from P of same length. The reason 
is that there must be a substitution a with ta va where va is a normal 
form. So ta is weakly innermost normalizing and thus, by [Gra96a, Thm. 3.2.11 
(la) and (4a)], ta is confluent and strongly normalizing. With t — we obtain 
ta^'fl'T'O'- Hence, ra is strongly normalizing as well and thus, it also reduces in- 
nermost to some normal form q. Now confluence of ta implies q = va. Therefore, 

. . . (s, r) (u, w) ... is an innermost chain, too. □ 

The converse of Thm. 5 holds as well if V is obtained from the dependency 
pairs by repeated narrowing and rewriting steps. So similar to narrowing, rewrit- 
ing dependency pairs does not destroy the necessity of our criterion either. 

Theorem 6 (Rewriting Dependency Pairs Preserves Completeness). 

Let TZ be an innermost terminating non- overlapping TRS and let P, P be as 
in Thm. 5. If there exists no infinite innermost TZ-ehain of pairs from P, then 
there exists no infinite innermost TZ-ehain of pairs from P either. 

Proof. In an innermost chain . . . (s, r) {v, w) . . . from P , replacing all (renamed) 
occurrences of (s,r) by corresponding renamings of {s,t) yields an innermost 

chain from P of same length. The reason is that there must be a c with ra 
va. Thus, ta — ra va implies ta -^ 7 ^ va by the convergence of TZ. □ 

In our example we may now eliminate app and map_f by rewriting the pairs 
(Had) and (Hd). Even better, before narrowing, we could first rewrite (11), 
(12), and (13). Moreover, we could simplify (10c) by rewriting it as well. Thus, 
the resulting pairs on the cycles we are interested in are: 

(PROCESS(cons(/j, t), rn), IFi(cons(/j, t), rn, leq(m,s(length(f))))) (9b) 



(IFi(cons(/j, f),s(n),true), IF 2 (cons(/j, f), s(n), false)) (10c ) 

(IF2(sfore, m, false), PROCESS(sndsplit(m, store), m)) (11 ) 

(IFi(store, m, false), IF3(store, rn, empty(fstsplit(m, store)))) (12 ) 
(IF 3 (store, m, false), PROCESS(sndsplit(m, store), rn)) (13 ) 



Analogous to Sect. 5, now we narrow (11 ), (12 ), (13 ), perform a rewrite step 
for one of (12 )’s narrowings, and delete those resulting pairs which are not on 
any cycle. In this way, (11 ), (12 ), (13 ) are replaced by 

(IF 2 (cons(/j, t),s(n), false), PROCESS(sndsplit(n,t),s(n))) (11 ) 

(IFi (cons(/j, t),s(n), false), IF 3 (cons(/j,t),s(n), false)) (12 ) 

(IF 3 (cons(/j, t),s(n), false), PROCESS(sndsplit(n,t),s(n))) (13 ) 
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By eliminating the first argument of sndsplit and the third arguments of IFi, IF2, 
and IF3 (cf. Sect. 5), we obtain the following inequalities. Note that according 
to Thm. 2, these inequalities prove the absence of infinite innermost chains for 
all three cycles built from (9b), (10c ), and (11 )-(13 ), since for each of these 
cycles (at least) one of its dependency pairs is strictly decreasing. 

PROCESS(cons(/i, t), m) > IF]^(cons(/j, t), m) sndsplit (x) > x 

IFi (^cor\s(^h ^ ^ IF2(cons(^/?', sndsplit (nil) ^ nil 

IFi (cons(/j,t),s(n)) > IF3(cons(/j, t), s(n)) sndsplit' (cons(/i, t)) > sndsplit'(t) 

IF2(cons(/j, t), s(n)) > PROCESS(sndsplit'(t), s(n)) I > r for all rules l^r 
\F^{cons[h,t),s{n)) > PROCESS(sndsplit'(t), s(n)) with root{l) 6 {leq, length} 

Now these inequalities are satisfied by the rpo. The right column contains all 
inequalities corresponding to the usable rules, since the rules for map_f and f are 
no longer usable. Hence, the TRS of Sect. 3 is innermost terminating. In this way, 
left-right decreasingness of the CTRS from Sect. 2 could be proved automatically. 
Therefore, the desired property holds for the original Erlang process. 

7 Conclusion 

We have shown that rewriting techniques (and in particular, the dependency 
pair approach) can be successfully applied for process verification tasks in indu- 
stry. While our work was motivated by a specific process verification problem, 
in this paper we developed several new techniques which are of general use in 
term rewriting. First of all, we showed how dependency pairs can be utilized 
to prove that conditional term rewriting systems are decreasing and termina- 
ting. Moreover, we presented two refinements which considerably increase the 
class of systems where dependency pairs are successful. The first refinement of 
narrowing dependency pairs was already introduced in [AG99], but completen- 
ess of the technique for non-overlapping TRSs is a new result. It ensures that 
application of the narrowing technique can never destroy the success of such 
an innermost termination proof. In fact, our narrowing refinement is the main 
reason why the approach of handling CTRSs by transforming them into TRSs 
is successful in combination with the dependency pair approach (whereas this 
transformation is usually not of much use for the standard termination proving 
techniques). Finally, to strengthen the power of dependeney pairs we introduced 
the novel technique of rewriting dependency pairs and proved its soundness and 
completeness for innermost termination of non-overlapping TRSs. 
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Abstract. This paper describes a new data structure, difference decision diagrams 
(DDDs), for representing a Boolean logic over inequalities of the form x — y < c 
where the variables are integer or real- valued. We give algorithms for manipulating 
DDDs and for determining validity, satisfiability, and equivalence. DDDs enable 
an efficient verification of timed systems modeled as, for example, timed automata 
or timed Petri nets, sinee both the states and their associated timing information 
are represented symbolically, similar to how BDDs represent Boolean predieates. 
We demonstrate the efiSciency of DDDs by analyzing a timed system and compare 
the results with the tools Kronos and Uppaal. 



1 Introduction 

Today model checking [13] is used extensively for formal verification of finite state 
systems such as digital circuits and embedded software. The success of the technique is 
primarily due to the use of BDDs [9] for representing sets of and relations over Boolean 
variables symbolically, making it possible to verify systems with a very large number 
of states. However, if the model contains non-Boolean (e.g., real-valued) variables, 
BDDs and other symbolic representations of Boolean predicates are inefficient. As a 
consequence, state-of-the-art techniques for analyzing systems with time, modeled for 
example as timed automata, are only capable of analyzing systems with a handful of 
timers and a few thousand states. 

In this paper we consider a Boolean logic extended with difference constraints, i.e., 
inequalities of the form x — y < c, where x and y are integer or real-valued variables and 
c is a constant. Difference constraints arise naturally when analyzing systems with time, 
expressing relations between the timers in the model, e.g., that the difference between 
two timers is within some bound. We call the Boolean logic over difference constraints 
for difference constraint expressions given by the following grammar: 

4> ::= X — y < c \ ->(f> \ 4>i A 4>2 \ ^x.(f> , (1) 

where x,y £ Var denote variables and c € D denotes a constant. We will allow the 
usual derived operators such as x — y > c, (pi V <p 2 , and fjxi.cp. In this paper, the domain 
D of the logic is either the real numbers K or the integers Z. 

* This work was carried out while the authors were at the Department of Information Technology, 
Technical University of Denmark, and was financially supported by a grant from the Danish 
Technical Research Council. 
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(a) 

Fig. 1. The expression </> in (2) as (a) an (x, 
diagram. 




-plot for z = 0, and (b) a difference decision 



The main contribution of this paper is a data structure, called difference decision dia- 
grams (DDDs), for representing difference constraint expressions symbolically, making 
it possible to represent the state space of timed systems (and other systems with non- 
Boolean variables) efficiently. DDDs represent difference constraint expressions using 
a decision tree in a manner similar to the BDD representation of a Boolean expression. 
Consider the following expression 4> over x,y, z £ K: 

(f)=l<x — z<3 A {y — z>2 \/y — x>0). (2) 

Figure 1 shows (f) as an (x, j/)-plot for z = 0 and the corresponding DDD. Each non- 
terminal vertex in a DDD contains a test expression a (a difference constraint) and has 
two outgoing edges called the high- and low-branch which are drawn with solid and 
dashed lines, respectively. The high-branch is followed when a evaluates to true; the 
low-branch when a evaluates to false. 



1.1 Related Work 

One approach to analyze systems with time or other continuous variables is to make the 
dense domains discrete. For example, in a timed model it is assumed that the clocks only 
can take integer or rational values. Such a discretization makes it possible to use BDDs 
for representing both the state graph and the associated timing information [2,8,10,1 1]. 
Flowever, this way of representing dense domains is often inefficient; the BDD represen- 
tation is very sensitive to the granularity of the discretization and to the size of the delay 
ranges. Another approach based on BDDs is to have a Boolean variable representing each 
constraint, and use an external decision procedure to determine implications among these 
variables [12]. These implications are used to prune the representation of the state space. 
The advantage is that any kind of decidable constraints can be used. Our approach can 
be seen as a simplified version of this where we take advantage of restricting the types 
of constraints to difference constraints and perform reductions on-the-fiy. 

Several algorithms for analyzing timed automata have been developed. The unit- 
cube approach [1] models time as dense but represents the timing information using a 
finite number of equivalence classes. Again, the number of timed states is dependent on 
the size of the delay ranges and easily becomes unmanageable. Several recent timing 
analysis methods use difference bound matrices (DBMs) [15] for representing the timing 
information [7,18,23,28]. In these approaches, a set of DBMs representing the possible 
timer configurations is associated with each discrete state of the system. Although DBMs 
provide a compact representation of a clock configuration, there are several serious pro- 
blems with the approaches based on DBMs: first, the number of DBMs for representing 
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the timing information associated with a given state can become very large, secondly, 
there is no sharing or reuse of DBMs among the different discrete states, and finally, 
each discrete state is represented explicitly, thus these approaches are limited by the 
number of reachable states of the system. Several researchers have attempted to remedy 
these shortcomings, for example by using partial order methods [6,24,26] or by using 
approximate methods [3,5,27]. Although these approaches do address the first problem, 
they are still susceptible to the last two problems since each state is represented expli- 
citly. Using DDDs it is possible to combat all three problems since first, unlike DBMs, 
DDDs are not limited to representing the timing information as a union of convex sets, 
secondly, DDDs represent all states and the associated timing information in a single 
shared data structure, and finally, states and the timing information are represented sym- 
bolically using difference constraint expressions. Another approach [25] suggests using 
a partition refinement algorithm for efficient model checking. However, the reported 
running times are still exponential. 

Based on the initial ideas of this paper, Behrmann et al. [4] have implemented a 
minor variation of DDDs allowing a fanout of more than two (which they call CDDs). 
They have shown a significant improvement in memory consumption in Uppaal, even 
though the experiments in contrast to ours do not use a fully symbolic approach (the 
discrete states are enumerated explicitly). Thus, this approach will not be able to handle 
the larger instances of the timed system in Sect. 6. 

2 Difference Decision Diagrams 

The data structure difference decision diagrams (DDDs) is developed to efficiently re- 
present and manipulate difference constraint expressions. Difference decision diagrams 
share many properties with binary decision diagrams (BDDs): they can be ordered, they 
can be reduced making it possible to check for validity and satisfiability in constant time, 
and many of the algorithms and techniques for BDDs can be modified to apply to DDDs. 



Definition 1 (Difference Decision Diagram). A difference decision diagram (DDD) is 
a directed acyclie graph (V, E). The vertex set V eontains two terminals 0 and 1 with 
out-degree zero, and a set of non-terminal vertices with out-degree two and the following 
attributes: 

Attribute Type Description 

pos (v) , neg (v) Var Positive variable X{ , and negative variable Xj , 

op{v) {le, leq} Operator < or <. 

const{v) D Constanta. 

high {v), low {v) V High-branch h, and low-branch I . 

The set E contains the edges (v, low(v)) and (v, high{v)), wherev € V is anon-terminal 
vertex. 

Similar to BDDs, the non-terminal vertices of a DDD corresponds to the if-then-else 
operator a (pi, fo defined by 



a (pi,(po = {ax ^(pl) V (-lo; A (po) , 
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where a is a test expression and 4 >q, are difference constraint expressions. However, 
unlike HDDs, the test expression a is not a Boolean variable, but a difference constraint 
of the form x — y < c, where the symbol < represents either < or <. Each vertex v in a 
DDD denotes a difference constraint expression (p^.lfv isa terminal vertex, i.e., either 
0 or 1, (j)'" is false or true, respectively. Otherwise, v represents the expression (f>" given 
by: 



=Xi-Xj<C^ 4>^^3h{v) ^ ^ 

where Xi = pos{v), Xj = neg{v), < = op{v), and c = const{v).'We use the following 
notational shorthands: 



var{v) = {pos{v),neg{v)) 
bound{v) = {const (v), op{v)) 
cstr{v) = {var{v), bound (v)) . 

Adding two bounds (ci , oi ) and {02,02) gives (ci + C2 , oi + 02 ) , where o\ + 02 is leq if 
both oi and 02 are leq and le otherwise. Negating a bound (c, o) gives (— c, -lo), where 
-iLE is LEQ and -ileq is le. We use V'^ uio denote that the vertex u is reachable from 
V (i.e., there is a path from v to u). The size of a DDD v, denoted luj, is the number of 
vertices reachable from u; that is, luj = |{m € H : u ^ m}|. 

2.1 Ordering 

To define ordered DDDs, we assume given a total ordering -< of the variables X\, ... ,x^ 
which furthermore must totally order pairs of variables {xi,Xj).^ We extend this or- 
dering to attributes cstr{v) of vertices u in a DDD. Constants, const{v), are orde- 
red as usually in D, and the two operators, op{v), are ordered as le-<leq. Bounds, 
{const{v), op{v)) and constraints, {var{v), bound{v)), are ordered lexicographically. 
For example, ((x2,xi), (0,le))-<((x2, xi), (0, leq))-<((x 2 , xi), (1, le)) . We assume 
that the two terminal vertices have attributes that are greater than all non-terminals. 

Definition 2 (Ordered DDD). An ordered DDD (ODDD) is a DDD where each non- 
terminal vertex v satisfies: 

1. neg{v) -< pos{v), 

2. var{v) -< var{high{v)), 

3. var{v) -< var{low{v)) or 

var{v) = var{low{v)) and bound{v) -< bound{low{v)). 



Requirement 1 expresses that the pair of variables var{v) = {pos{v),neg{v)) = {xi,Xj) 
of a vertex v is normalized ; that is, Xj ~< x^. This does not restrict what we can represent 
with DDDs, because the two variables in a vertex can always be swapped by negating the 
bound and swapping the low- and high-branches. We further require in an ordered DDD, 

' Pairs of variables can for example be ordered reversed lexicographically, that is {xi ,Xj) -< 
{x'i,x'j) iff Xj -< x'j or {xj = x'j A Xi ^ x'i). 
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that either the children of a vertex have variables later in the ordering (requirement 2 
and first part of 3) or the variables along the low-branch are identical (second part of 3). 
The seeond part of requirement 3 makes it possible to have multiple tests on the same 
pair of variables, which is needed because of the disjunctive abilities of DDDs. The last 
two requirements imply cstr{v) cstr{high{v)) and cstr{v) -< cstr{low{v)). The 
DDD in Fig. 1 is an example of an ordered DDD with the ordering z x y extended 
reversed lexicographically to pairs of variables. 

2.2 Locally Reduced DDDs 

Similar to ROBDDs, we define a set of local reduction rules that reduce the size of the 
DDD representation. 

Definition 3 (Locally Reduced DDD). A locally reduced DDD (RiDDD) is an ODDD 
satisfying, for all non-terminals u and v: 

7. D = Z implies op{v) = leq, 

2. (cstr{u) , high{u) , low{u)) = { cstr{v), high (v), low (v)) implies u = v, 

3. low{v) f high{v), 

4. var{v) = var{low{v)) implies high{v) f high{low{v)) . 

Requirement 2 and 3 are identieal to the reduetion requirements for ROBDDs. Thus, ifwe 
encode a Boolean variable bi asxj— < 0, any Boolean expression over fei, 62 j • • • , is 

represented in a canonical form using locally reduced DDDs. Requirement 4 ensures that 
any two eonsecutive vertices with the same pair of variables have different high-branches. 
This requirement is fulfilled using the following equivalence for ordered DDDs: 



- y Cl ^ h, (x - y <2 C 2 ^ h, 1) = X - y <2 C 2 ^ h,l . 



3 Construction of DDDs 

In this section we present efficient algorithms for manipulating locally reduced DDDs. 
For a more detailed description see [21]. Orderedness ensures that the basic algorithm 
for computing the Boolean eonnectives is polynomial. However, for existential quanti- 
fication the situation is different. Although the algorithm in polynomial time computes 
the modified and additional constraints, its worst-case running time is exponential since 
it needs to regain orderedness. 

The algorithms are all based on a function Mk for creating DDD vertices. The 
function Mk normalizes the two variables and ensures that the ereated vertex is loeally 
reduced: If x is different from y, Mk((x, y) , (c, o) , h, 7) returns the identity of a vertex, 
equivalent to a vertex v with var{v) = (x,y), bound{v) = (c, o), high{v) = h, and 
low{v) = 1. If X is equal to y, Mk returns 0 if the bound is less than (0,leq), and 
1 otherwise. Using Mk as the only function for constructing a DDD ensures that it is 
locally reduced. As for BDDs, Mk can be implemented with an expected running time 
ofO(l). 
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Fig. 2. Existential quantification of x in (2). (a) An (x, t/)-plot of </> for 2 = 0. (b) An (x, i/)-plot 
of 3x.(/> for 2 = 0. (c) The DDD for 3x.</>. 



3.1 Boolean Combination of DDDs 



The function Apply (op, u, v) is used to combine two DDDs rooted at u and v with a 
Boolean operator op. Apply is a generalization of the version used for ROBDDs, which 
is based on the fact that any binary Boolean operator op distributes over the if-then-else 
operator: 

{a ^ h, () op {a h ,( ) = a ^ [h op {a h , I )), (^l op {a — ^ /j , / )) . (3) 



This equivalence provides a method to combine two DDDs with a Boolean operator. 
Reading the equivalence from left to right, we see that we can move the Boolean operator 
down one level in the DDD. If we continuously do so until both arguments of op are 0 
or 1 , we can evaluate the expression and return the appropriate result. 

If the two pairs of variables are equal, we can simplify (3): 



{a ^ h,l) op {a h ,l ) = < 



a {h op h), {I op {a ^ h ,l )) if a a , 

a ^ {h op h), {I op I ) if a = a , 

a {h op h), ((a h, [) op I ) if a >- a . 



( 4 ) 



Together, (3) and (4) yield the algorithm Apply: We use (3) when (x, y) -< (x , y ) or 
(x,y) >- (x ,y ) and (4) when (x,y) = (x ,y ). Using Mk to construct new vertices 
and applying dynamic programming, the runtime of Apply is the same as the ROBDD 
version, that is, 0(|u| It'D. 



3.2 Quantifications 

Since the domain of the variables is infinite, quantification is more complicated than the 
binary Boolean connectives. Based on the Fourier-Motzkin method [16], we perform an 
existential quantification of a variable x in a DDD rooted at u by removing all vertices 
reachable from u containing x, but keeping all implicit constraints induced by x among 
the other variables. For example, quantifying out x in the expression 4> given in (2) yields 
3x.(l> = y — z > 1, see Fig. 2. Here, the constraint y — z > 1 does not occur explicitly 
in (f), but implicitly because of y — x > 0 and x — z > 1. 

To compute 3x.{xi — Xj < c ^ h, 1), we consider two cases: If x is different from 
both Xj and Xj, we can push down the quantifier one level in the DDD: 

3x.{xi — Xj < c ^ h,l) = Xi — Xj < c ^ 3x.h,3x.l ifx^ {xi,Xj}. 
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If X is equal to x j or Xj , we relax all paths in h and I with x j — Xj < c and Xj — Xj > c, 
respectively, and combine the results with disjunction: 

3x.(xj — Xj < c ^ h, [) = 3x. R elax (/ j, X, Xj — Xj < c) 

V 3x.Relax(/, X, Xj — Xj < — c) ifx G {xj,Xj}. 

If X is equal to Xj, relaxation of a path p with a constraint Xj — Xj < c consists of 
adding a new constraint Xj — Xj < c + c to p for each constraint x^ — Xi < c in p? 
The case where x is equal to Xj is symmetric. In worst case, each relaxation generates 
a quadratic number of new constraints. Thus, a conservative bound on the number of 
added constraints in an existential quantification 3x.u is 0(|u|^) because each vertex 
in u is relaxed once. However, to maintain orderedness these new constraints cannot be 
added where they are discovered through calls to Mk, but need to be added through calls 
to Apply. The repeated calls to Apply imply that the running time of 3x.u is worst-case 
exponential. 



3.3 Assignment and Replacement 

The operations of assignment and replacement are often used in verification. After 
performing an assignment 4>[x y + c] the variable x is given the value of another 
variable y plus a constant c in the expression (j). When x ^ y, performing an assignment 
corresponds to removing all explicit bounds on x, and then updating x with a new value. 
The assignment operation <^[x y + c] is therefore performed as: 

(f)[x y + c] = {3x.4>) A {x — y = c) ifx^y. 

If X is equal to y, an assignment corresponds to incrementing x by the value c. In these 
cases, the assignment is performed in linear time by adjusting the constants of all vertices 
containing the variable x. 

The replacement operator (f)[y + c/x] syntactically substitutes all occurrences of x 
in 4> with another variable y plus a constant c. When the two variables are different, a 
replacement is performed as: 

4>[y + c/x] = 3x.(4> A {x — y = c)') ifxy^y. 

If X is equal to y, the replacement 4>[x + d/x] is defined as (f>\t/x]\x + d/i\, where t is 
a variable different from x and not occurring in 4>. 

We can avoid the quantification by performing the replacement 4>[y + c/x] directly 
on each vertex in 4> by replacing all occurrences of x with y + c. This is advantageous 
when X and y are neighbors in the variable ordering (this is often the case in model 
checking), since replacement then can be performed in linear time. 

^ In terms of the constraint graph [14, p. 541] defined by p, relaxation with Xj — Xj < c 
corresponding to an edge from Xj to Xi creates a new edge from Xj to x' with weight c + c' for 
each edge from Xj to x' with weight c' (i.e., the edge from xj to x' is now explicit, not implicit 
via Xj). 
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4 Path Reduced DDDs 

The previous section deseribes algorithms for constructing locally reduced DDDs. Ho- 
wever, locally reduced DDDs are not a canonieal representation of difference constraint 
expressions. In this seetion we show how to remove some of the redundant constraints 
in a path, making the representation semi-eanonical. In a semi-canonical representa- 
tion, there is exactly one DDD for a tautology (the terminal 1) and exactly one DDD 
for an unsatisfiable expression (the terminal 0). Thus, with semi-canonical DDDs it is 
straightforward to test for validity, satisfiability, and equivalence (after using Apply with 
a biimplication). 



4.1 Paths and Semi-canonical DDDs 

A path in a DDD corresponds to a conjunction of difference constraints or negated 
difference constraints (whenever the path follows a low -branch). Since the negations 
always can be removed by swapping the variables, changing the comparison operator, 
and negating the constant, a path corresponds to a conjunction of difference constraints, 
also called a system of difference constraints [14, Sect. 25.5]. We denote the system of 
difference constraints induced by a path p by [p] . A path p is defined to be feasible if the 
corresponding system of difference constraints has a feasible solution. If the constraint 
system has no solution, the path is infeasible. 

Definition 4 (Path-rednced DDD). A path-reduced DDD (RpDDD) is a locally reduced 
DDD where all paths are feasible. 

Paths ending at the terminals 0 and 1 are called 0-paths and 1 -paths, respectively. If 
a DDD has no infeasible 0-paths and 1-paths, then it has no infeasible paths because 
a feasible constraint system will still be feasible if we remove some of the difference 
constraints from it. So if all 0-paths and 1-paths in a DDD u are feasible, then u is path 
reduced. For RpDDDs it is straightforward to decide satisfiability and validity: 

Theorem 1 (RpDDDs are semi-canonical). In an RpDDD, the terminal vertex 1 is the 
only representation of a tautology and the terminal vertex 0 is the only representation 
of an unsatisfiable expression. 

Proof. We show that if u is a non-terminal in a path reduced DDD, then v represents 
neither a tautology nor an unsatisfiable expression. Because v is path reduced, it is 
also locally reduced, so all vertices u reachable from v satisfy low{u) f high{u). 
Furthermore, because u is a non-terminal vertex in an (acyclic) ordered DDD, there 
exists some vertex u reachable from v that has low{u ) = 0 and high{u ) = 1 or 
low{u ) = 1 and high{u ) = 0. Consequently, both 0 and 1 are reachable from v. 
Let p be some 0-path from v. Per definition of path reducedness, we know that p is 
feasible. This implies that there exists a variable assignment satisfying [p], meaning that 
there exists a falsifying variable assignment for v. Thus, v cannot represent a tautology. 
Similarly, because there is a feasible 1-path from v, v is satisfiable. □ 
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4.2 Reduce 

An algorithm for making a DDD rooted at u path reduced is: 

1 PathReduce(m) = Reduce(m, (m)) 

2 where Reduce ( u,p) = 

3 if [p] is infeasible then return ± 

4 elsif V € { 0 , 1 } then return v 

5 else h ^ RED\JCE{high{v),p~'{high{v))) 

6 I ■i^Reduce{Iow{v),p~'{Iow{v))) 

1 if 1 7 ^ _L and h ^ 1. then return MK(riar(n), bound{v), h, 1) 

8 elsif h ^ 1. then return h 

9 else return I 

The operator ^denotes path concatenation. The function Reduce(u,p) returns _L if and 
only if the path p is infeasible. Clearly, if p is infeasible, Reduce (u,p) returns _L in 
line 3. On the other hand, if p is feasible, it is simple to see that either p'' {high {v)) 
or p^{low{v)) is feasible, and thus Reduce(u,p) cannot return _L in line 9. Hence, 
Reduce(u, p) = _L if and only if p is infeasible. 

The correctness of PathReduce then follows from the following observation: if 
either /j = _L or / = _L in lines 5 and 6, the vertex v can be removed. To see this, 
let [p] denote the system of difference constraints corresponding to the path p and let 
a = cstr{v) denote the difference consfraint of vertex v. Assume I = _L, i.e., the path 
p'^{low{v)) is infeasible, and thus [p] A ~ia = false. Then, 

[p] A q; = ([p] A a) V ([p] A -^a) = [p] A (a V ~'a) = [p] . 

It follows from a symmetric argument that the vertex v can be removed if /j = _L. 

Let us consider a small example. Figure 3 shows an RlDDD for the expression 

(f>=x — z>0Vy — z<0Vy — x>0. (5) 

The 0-path corresponds to the system of difference consfraints x — z<0, z — y<0, 
and y — X < 0, which has no feasible solution. Thus, if we call PathReduce on the 
root vertex, the REDUCE-call on the vertex containing y — x < 0 returns 1, and because 
of the third local reduction requirement the result is the terminal 1. 

There are several algorithms for determining whether a system of difference con- 
straints is feasible. Two well-known ones are Floyd- Warshall’s algorithm and Bellman- 
Ford’s algorithm [14], which both have worst-case running times O(n^), where n is 
the number of variables. PathReduce(m) enumerates all paths in u, and because the 




□ 

(b) 



Fig. 3. The expression <p from (5) as (a) a locally reduced DDD, and (b) a path reduced DDD. 
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number of paths can be exponential in the size of u, the complexity of PathReduce(m) 
is 0(2l“ln^). PathReduce can be improved by using a faster algorithm to determine 
feasibility of a path, and by reusing the result of the feasibility check in the two recursive 
calls. These optimizations can be realized by an incremental version of the Bellman- 
Ford algorithm, but although these optimizations in practice improve the performance 
of PathReduce, they do not improve on the worst-case runtime. 

As shown in Theorem 1 , it is straightforward to determine whether a path reduced 
DDD represents a tautology and whether it is satisfiable. However, in practice it is often 
more efficient to search for a counterexample when checking for validity or satisfiability. 
For instance, when checking for validity, PathReduce can be modified to stop (and 
report false) if a feasible 0-path is found. Similarly, when checking for satisfiability, the 
algorithm can stop (and report true) if a feasible 1-path is found. This approach also leads 
to a practical algorithm for finding a satisfying variable assignment, called AnySat. The 
algorithm searches for a feasible 1-path and if one is found, the corresponding system 
of difference constraints is solved, yielding a satisfying assignment. 



5 Fully Reduced DDDs 



The reductions ensuring local and path reducedness are quite powerful. As an example 
consider the two sets built from nine triangles as shown in Fig. 4(a). They each contain 
nine convex regions representable by 1 5 non-terminal DDD vertices using the ordering 
{ x , z ) -< { y , z ) -< { y , x ). Computing the disjunction of the two sets using Apply results 
in the 3 X 3-square represented with only four non-terminal vertices in an RpDDD. 
As another example consider the nine sets shown in Fig. 4(b). Combined they yield 
a simple convex square although no two sets together form a convex region. Using 
difference bound matrices similar powerful reductions are very expensive to obtain. 

However, path-reducedness is not enough to ensure a canonical representation. As an 
example, consider the three path-reduced DDDs of Fig. 5 which all represent the same 
triangular area shown in Fig. 5(d). Local and path reductions are too weak to identify 
them. One problem (shown in Fig. 5(a)) is that the constraints may contain a certain 
amount of slack. For instance, the constraint x — z > 0 could be tightened to x — z > 2 
without changing the semantics. To avoid this kind of slack we introduce a notion of a 
path being tight which strengthens the notion of path reducedness. 

To introduce tightness we need to distinguish the dominating constraints in a path. 
Formally, a constraint Xj — Xj < c is dominating in a path p if all other constraints 
Xi~Xj < c on thesamepairofvariables in p,are less restrictive, i.e., (c,<) < (c ,< ). 




(a) 




(b) 



Fig. 4. Disjunctions of complex sets can reduce to simple RpDDDs. 
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Non-dominating constraints occur only in paths that through low-edges pass through 
several vertices with constraints on the same pair of variables. 

Definition 5 (Tightness). A dominating constraint a = Xi — Xj < c is tight in a feasible 
path [p] = [pi] A q; A [^ 2 ] if for all tighter constraints (c , < ) < (c, <), the systems 
[pi] A (xi — Xj < c ) A [P 2 ] and [p] have different solutions. A path p is tight if it is 
feasible and all dominating constraints on it are tight. An RiDDD u is tight if all paths 
from u are tight. 

From the definition it is clear that tightness generalizes path reducedness since any 
tight DDD is also an RpDDD. Henee, Theorem 1 implies that it is trivial to determine 
satisfiability and validity of tight DDDs. 

Adding tightness as a condition prevents the existenee of the DDD in Fig. 5(a). A 
DDD ean be made tight by enumerating all paths, for each path solve the associated 
system of difference constraints, replacing the bounds of the constraints by the bounds 
from the solution, and finally combine all the tight paths by disjunction using Apply. 
Flence, the DDD (a) will get reduced to the DDD (b). 

Tight DDDs are still not canonieal due to implieit constraints that arise as conse- 
quences of the constraints in the vertices. The solution set will not depend on how many 
of these implicit constraints are made explicit but the resulting DDDs will be different. 
To remove this arbitrariness, we add these implieit constraints to the DDD: 

Definition 6 (Satnration). A tight path p from an RpDDD is saturated if for all con- 
straints a not on p, if a is added to p either (1) a is not dominating and tight, or (2) the 
constraint system [pi] A ~^a is infeasible, when [p] is written [p] = [pi] A [^ 2 ] with all 
constraints on p\ smaller than a with respect to -A and all constraints on p 2 larger than 
a. An RpDDD u is saturated if all paths from u are saturated. 

Saturation can be obtained by making as many implicit constraints as possible explieit 
without introducing any infeasible paths in the DDD. As an example, the DDD in Fig. 5(c) 
will be saturated into the DDD in Fig. 5(b). However, tight and saturated DDDs are still 
not canonical. Figure 6 shows an example of two tight, saturated RpDDDs that are 
equivalent. Intuitively, the problem is that the vertex with the constraint y — x < 0 
is redundant, since the solution set is the area x — z > l,y — z > 1. To deteet such 
situations, a further check is necessary: 
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Fig. 6. An example where the mergeability test is neeessary to merge two paths into one, making 
the top constraint redundant (all plots are for z = 0). 



Definition 7 (Disjnnctive vertex). Let p be a path leading to the vertex u in a DDD, 
and assume a = cstr{u), h = high{u), and I = low{u). Then u is disjunctive in p if 
[p] A (a — ^ /j, 1) and [p] A {hV 1) have the same set of solutions. 

This leads us to the following definition and accompanying conjecture: 

Definition 8 (Fnlly rednced DDD). An RpDDD u is a fully-reduced DDD (RpDDD) 
if it is tight, saturated, and has no disjunctive vertices. 

Conjecture 1 (Canonicity) . If u and v are RpDDDs with the same set of solutions then 

u= V. 

As it is illustratedby the above discussion, canonicity is rather difficult to obtain inDDDs. 
This is quite unlike the situation for BDDs, where local reductions and a total ordering 
of the variables is enough to obtain it. The reason is that in DDDs there are non-local 
dependencies among the various constraints giving rise to not only untight constraints 
but also implied constraints that may or may not be explicitly present. Pragmatically, the 
lack of canonicity of path-reduced DDDs might not be a problem. The main benefit of 
the canonicity of ROBDDs is that the questions of equivalence, satisfiability, and validity 
are trivial to answer. However, as pointed out in Theorem 1 , satisfiability and validity 
is trivial for path-reduced DDDs and even for local-reduced DDDs the questions can 
be solved by a simple on-the-fiy search for feasible paths. The crucial issue is whether 
the representation during computations stay compact which can occur with just a semi- 
canonical representation. 



6 Experimental Results 

DDDs can be used to analyze timed system efficiently by representing sets of discrete 
states and their associated timing information implicitly. The DDD algorithms implement 
all operations necessary for analyzing general systems with time such as timed guarded 
commands [17], timed automata [1] or timed Petri nets [7]. 
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Table 1. Experimental results for Milner’s scheduler with (a) one clock using the bounds 
= [25, 200], and (b) one clock per task using the bounds = [25, 200] and 

[T*, T“j = [80, 100], The first column shows the number of cyclers, and the following three co- 
lumns show the CPU time (in seconds) to build the reachable state space using Kronos (ver. 2.2b), 
Uppaal (ver. 2.17), and DDDs, respectively. The results were obtained on a Pentium 11 PC with 
64 MB of memory. A ‘ ’ denotes that the analysis did not complete within an hour. 



N 


Kronos 


Uppaal 


DDD 


4 


0.2 


0.1 


0.1 


5 


0.7 


0.2 


0.1 


6 


22.6 


0.6 


0.1 


7 


339.2 


2.3 


0.1 


8 




9.0 


0.2 


9 




35.0 


0.2 


10 


- 


138.4 


0.2 


11 


— 


529.8 


0.2 


12 


- 


2560.7 


0.3 


16 


— 


— 


0.5 


32 


— 


— 


2.2 


64 


- 


— 


15.9 


128 


- 


— 


123.3 


256 


- 


- 


1104.8 



N 


Kronos 


Uppaal 


DDD 


4 


0.4 


0.2 


0.2 


5 


2.4 


1.7 


0.3 


6 


24.2 


17.6 


0.5 


7 


346.6 


201.7 


0.5 


8 


- 


2460.2 


0.6 


16 


— 


— 


1.5 


32 


— 


— 


5.7 


64 


- 


— 


31.7 


128 


- 


- 


217.3 



(b) 



(a) 



In [22] we show how to analyze two different timed versions of Milner’s seheduler. 
Milner’s scheduler [20] consists of N cyclers, connected in a ring, that cooperate on 
controlling N tasks. The two versions of Milner’s scheduler are simple, regular and 
highly concurrent systems, and they illustrate the advantages of a symbolic approach 
based on difference decision diagrams. With an implementation based on DDDs, the 
runtimes for computing the reachable state space are several orders of magnitudes better 
than those obtained with two state-of-the-art tools, Kronos [28] and Uppaal [19]. 

In the first version we use a clock H to ensure that a cycler passes the token on to 
the following cycler within a bounded amount of time [H\ iT“]. Table 1(a) shows the 
runtimes to build the reachable state space for increasing N . The number of discrete 
states in this version of Milner’s scheduler is exponential in N since a task can terminate 
independently of the other tasks. Thus, state space exploration based on enumerating all 
discrete states as in Uppaal and Kronos only succeeds for small systems. The DDD- 
based approach represents discrete states implicitly yielding polynomial runtimes. 

In the second version of Milner’s scheduler we use a clock Ti for each task to ensure 
that it terminates within a certain bound [i'V^ “] after it is started. Table 1(b) shows 
the runtimes to build the reachable state space for increasing N . Again, the runtimes of 
Kronos and Uppaal are exponential in N, while using the DDD data structure results 
in polynomial runtimes. The problem for Kronos and Uppaal is the large number of 
clock variables which is handled in the DDD-based approach by eliminating unused 
clocks from the representation (i.e., we quantify out Ti whenever task ti terminates). 



7 Conclusion 



The problem addressed in this paper is how to efficiently represent and manipulate a 
Boolean logic over integer- or real-valued inequalities of the form x — y < c. We have 
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proposed a data structure inspired by BDDs for representing the expressions from the 
logic as a decision diagram in which the test eonditions are differenee constraints. 

Introducing an ordering of the eonstraints makes it possible to extend the Apply 
algorithm for ordered BDDs to ordered DDDs without ehanging its runtime eomplexity. 
However, since the domain of the variables in the logic is infinitary, other operations 
such as existential quantification, are more difficult than for BDDs. For ordered DDDs, 
these algorithms are basically polynomial, but they become exponential due to the orde- 
ring requirement. Another eomplication is that there are implicit constraints among the 
variables causing the DDD data structure to be non-canonical even when local reduc- 
tions are used. A first step towards canonicity is to eliminate all infeasible paths. Such a 
path-reduced DDD can be tested for validity and satisfiability in constant time. However, 
semantically equivalent DDDs may still have different representations. We have defined 
several additional restricting conditions which we conjecture will result in canonical 
DDDs. It is clearly difficult to obtain an efficient canonical representation. Although 
canonicity would be intriguing to obtain and allow one to check for equivalence in con- 
stant time, it is not necessarily desirable in practice. A canonical representation will not 
necessarily be more compact than a non-canonical representation and the equivalence 
check can be performed as a validity check. 

Boolean variables can be modeled as difference constraints, making it possible to 
combine Boolean, continuous, and integer variables within a single data structure. All 
operations on the Boolean variables in the DDD are performed as efficiently as with 
BDDs. One use of combining Boolean and real-valued variables is in constructing the 
set of reachable states for a concurrent timed system. The effectiveness of the data 
structure and associated algorithms is demonstrated by analyzing two timed versions 
of Milner’s scheduler for which the set of reachable states are computed in polynomial 
time using DDDs, while the tools Kronos and Uppaal both take exponential time. 

One path that could be taken when extending the results of the paper would be to 
generalize the difference constraints to linear inequalities Xir=i ~ ^ ordered by a 
total ordering. The basic data structure and the Apply algorithm would be unchanged. In 
the existential quantification the only change is in Relax, where x is isolated and new 
inequalites are obtained by substituting the inequality for x. In eliminating infeasible 
paths, a general linear programming solver must be used, e.g, the simplex algorithm. 
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Abstract. Hybrid automata have been introduced in both control en- 
gineering and computer science as a formal model for the dynamics of 
hybrid discrete-continuous systems. In the case of so-called linear hy- 
brid automata this formalization supports semi-decision procedures for 
state reachability, yet no decision procedures due to inherent undecid- 
ability [4]. Thus, unlike finite or timed automata, already linear hybrid 
automata are out-of-scope of fully automatic verification. 

In this article, we devise a new semi-decision method for safety of lin- 
ear and polynomial hybrid systems which may only fail on pathological, 
practically uninteresting cases. These remaining cases are such that their 
safety depends on the complete absence of noise, a situation unlikely to 
occur in real hybrid systems. Furthermore, we show that if low proba- 
bility effects of noise are ignored akin to the way they are suppressed in 
digital modelling then safety becomes fully decidable. 

Keywords: Hybrid Systems, Verification, Decision Procedures 



1 Introduction 

Hybrid systems consist of interacting discrete and continuous components. Most 
embedded systems belong to this class of systems, as they operate within tightly 
coupled networks of both types of components. Consequently, integration of 
discrete and continuous reasoning within a single formal model has recently 
attracted much interest. The hope is that such combined formalisms may ulti- 
mately help in developing real embedded systems. 

Among such formalisms, the automata-based ones provide the most immedi- 
ate prospect for mechanization. Roughly, hybrid automata can be characterized 
as a combination of finite automata whose transitions are triggered by predicates 
on the continuous plant state with a description of the evolution of the continuous 
plant. The latter consists of a set of real-valued variables that are governed by 
sets of syntactically restricted differential (in-)equations from which a currently 
active set is selected depending on the current automaton state. Mechanization 
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of hybrid-automaton verification has partly become true, as e.g. the HyTech 
tool [3] supports among others a semi-decision procedure for state reachability in 
linear hybrid automata, which can — at least in principle, if complexity does not 
become prohibitive — be used for effectively falsifying safety properties. How- 
ever, as state reachability has been shown to be undecidable for linear hybrid 
automata [4], the complementary problem, i.e. verifying a safety property by 
showing that no undesirable state may ever be reached, cannot always be done 
effectively. 

However, it is illustrating to take a closer look at the proof technique used 
in [4] for showing undecidability of state reachability in linear hybrid automata. 
The core machinery is an instantiation of the following proof pattern: 

Effectively encode two-counter machines hy hybrid automata, represent- 
ing the eounter values by two continuous variables of bounded range. E.g., 

by variables of range [0, 1] through the embedding e defined as e{k) = 2~*. 

Although the results thus obtained are formally correct and absolutely well-done, 
their relevance to the practical design problems hybrid automata are intended 
to cover is questionable. The encodings used (e.g. e) encode infinite information, 
namely the set of natural numbers, within a compact interval of continuous 
states, whereas the ubiquity of noise limits the information content encodable 
by any bounded continuous variable encountered in real hybrid systems to a finite 
value. Hence, on simple information-theoretic grounds, the undecidability results 
thus obtained can be said to be artefacts of an overly idealized formalization. 

However, while this implies that the particular proof pattern sketched above 
lacks physical interpretation, it does not yield any insight as to whether the 
state reachability problem for hybrid systems featuring noise is decidable or 
not. We conjecture that there is a variety of realistic noise models for which 
the problem is indeed decidable. Within this article, we demonstrate this on a 
very simple model of noise, which we combine with a pragmatic attitude towards 
thresholds for noise being considered relevant. In Sect. 3 we devise a new decision 
method that is able to decide safety for those hybrid automata where safety 
does not depend on the complete absence of noise, i.e. which, if not unsafe, can 
tolerate some amount of noise without becoming unsafe. Furthermore, Sect. 4 
shows that the aforementioned decision method can cope with arbitrary hybrid 
systems whenever low-probability effects of noise are neglected. A technical side- 
condition for both results is that the safety region or the continuous state space 
of the hybrid automaton be bounded or — which is slightly more general — has 
strongly finite diameter (cf. Def. 1) wrt. an arbitrary metrics. 

Related work. To the best of our knowledge, dynamics of hybrid automata under 
noise has so far only been analyzed for the subclass of timed automata, where 
two fundamentally different models of the “robust”, noise-resistant behaviour 
of timed automata have been proposed by Gupta, Henzinger, and Jagadeesan 
[2] and by Puri [6] (both reports do, however, sketch generalizations to hybrid 
automata). While in the former line of work, the idealized behavioural model 
of timed automata is essentially kept and only filtered a posteriori by removing 
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accepted and adding rejected trajectories that are isolated wrt. some topology 
on trajectories, the latter is more akin to our approach in that it models the 
impact of noise (i.e. clock drift, if only timed automata are dealt with) as a 
widening of the transition relation and defines the reachable states as those that 
are reachable under arbitrarily small positive noise. 

2 Hybrid automata 

We start our investigation by providing a formalization of hybrid automata. The 
class of hybrid automata we will deal with goes beyond linear hybrid automata 
in that we will allow polynomial (instead of only linear) activities and polyno- 
mial (instead of linear) predicates for state invariants, transition guards, and 
transition effects. The reasons for adopting a more general class than usual are 
twofold. First, all our results can be shown for this more general class without 
any extra effort. Second, all definitions, statements, and proofs concerning this 
class of hybrid automata are more compact as no need to keep state invariants 
separate from activity predicates and transition guards separate from transition 
effects arises. Instead, every state and transition can be described by just one 
polynomial predicate, formalised through the first-order logic over the real-closed 
field, denoted F0L(1R,+, x) in the remainder. 

Therefore, within this article, a (polynomial) hybrid automaton of dimension- 
ality d {d £ IN) is a six-tuple 

(T , X, {^act Q-') X' , {trans (j — )fj,cr^c x' , i^initial a') ae. x' , a ^ x,) , 

where if is a finite set, representing the discrete states, and x = (xi, . . . ,Xd) is 
a vector of length d of variable names, the continuous variables of the hybrid 
system.^ {acta)ae_s is a 2f-indexed family of formulae from F0L(1R,+, x) with 
free variables x , x, representing the continuous activities and corresponding state 
constraints, and {tranSa^a')(j,a'ei; a doubly T-indexed family of formulae from 
FOL(]R,+, x) with free variables x,x, representing the discrete transitions and 
their guarding conditions. Finally, {initial a) a es and {safe^)aes are i7-indexed 
families of formulae from F0L(1R,+, x) with free variables x representing the 
initial and the safe states of the hybrid automaton. 

The interpretation is as follows: 

— An activity predicate acta defines the possible evolution of the continuous 
state while the system is in discrete state a. Hooked variable names in the 
predicate refer to the values of the corresponding system variables beforethe 
activity, while undecorated variable names refer to the values thereafter. A 
satisfying valuation ^ of its free variables x,x is interpreted as: if the 
system is in state a and its continuous variables have values then the 

continuous variables may evolve to Jx while staying in state a. 

^ Here and in the following, we use the convention to print vectors of variables or 
constants in boldface. All these vectors have length d. 
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Note that this single predicate thus generalizes both the state invariants and 
the activity functions of classical hybrid automata. E.g. the activity predicate 

BAt. X X At < X A X <x -\-5 X At A 4 < X A X < 10 
encodes both the linear activity x € [3,5) and the state invariant x € (4, 10]. 

— A transition predicate trans^^a' defines when the system may evolve from 
state a to state cd by a discrete transition (i.e., it specifies the transition 
guard) and what the effect of that transition on the continuous variables is. 
A satisfying valuation ^ of its free variables x,x is interpreted as: if the 
system is in state a and its continuous variables have values then the 
system may evolve to state a' with its continuous variables taking the new 
values Jx- 

Assignments as present in hybrid automata are simple to represent in this 
framework: e.g. for a hybrid system with continuous variables (xi, . . . , xg) the 
assignment X 7 := 5 (where all other continuous variables are left unchanged) 
is encoded by the predicate xy = 5 A Aie{i e 8 } Accordingly, guards 

are simply encoded through predicates over the hooked variables: e.g. the 
guard X 3 > 11 is represented by X 3 > 11. A transition with guard X 3 > 11 
and assignment X 7 := 5 is thus encoded by the predicate 

X3> 11 A X7 = 5 A Aie{l,...,6,8} • 

Multiple different transitions between the same state pair can be represented 
by disjunction of their encodings. 

It should be noted that there is no strict need to distinguish between activities 
and transitions in F0L(1R,+, x). This is just a matter of convenience for the 
further development. 



Dynamic behaviour. During execution, hybrid automata engage in an al- 
ternating sequence of discrete transitions and evolution phases, where the con- 
tinuous variables evolve according to an activity. Hence a (partial) execution 
containing n € N transitions comprises n transitions interspersed between n + 1 
evolution phases, where the final states (wrt. both discrete and continuous state 
components) of the evolution phases meet the initial states of the following tran- 
sition and vice versa the final states of the transitions meet the initial states of 
the following evolution phase. Thus reachability of a final discrete state a' and 
a final continuous state from an initial discrete state a and a initial contin- 
uous state through an execution containing n transitions can be formalised 
through the inductively defined predicate > where 






( false , if 

( act^ , if 

Y 3xi,X2 



cr A cr' , 

a = a' , 

^((i”^ 5 .[xi/x] A ^ 

transd-^a' [^1,^2/ x,x]A 
\acta'[x2/ ) 
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A hybrid automaton is called safe iff it may never reach an unsafe state. As 
usual, an unsafe state is considered reaehable iff there is a partial execution (of 
arbitrary length) from some initial state to a state not belonging to the set of 
safe states. An unsafe state is reaehable in at most n steps iff there is such a 
partial execution containing at most n discrete transitions. 

The latter property can be easily formalised using the formalization of partial 
run: an unsafe state is reachable within n steps iff Ainitiala[^ /x]A-isafe^> 
is satisfiable for some discrete states a and o' and some i < n. This is equivalent 
to satisfiability of the formula 

Unsafe„'^ \J ReaehfP' A-<safe^f , 



where 

Reaehff \J \J A initial a[^ /^] (1) 

ie]N<„ a-eS 

characterizes the continuous states reachable in at most n steps within discrete 
state o' . Consequently, an unsafe state is reachable iff there is some n G N for 
which Unsafe^ is satisfiable. 

Note that Unsafe^ is a formula of FOL(IR, + , x) such that reachability of 
an unsafe state within at most n steps is decidable due to the decidability of 
FOL(lR,+,x) [7]. By successively testing increasing n, this does immediately 
yield a (well-known) semi-decision procedure for reachability of unsafe states: 

Lemma 1 (Semi-decidability of safety). R is semi- decidable whether a given 
polynomial hybrid automaton is unsafe. □ 

However, this semi-decision procedure does not generalize to a decision pro- 
cedure: state reachability and thus safety is known to be undecidable even for 
hybrid automata featuring just two clocks and a single stop-watch [4], where 
a clock is a continuous variable having constant slope 1 within any activity, 
and a stop-watch is a continuous variable alternating between slopes 0 and 1 
only. Thus, undecidability applies already to hybrid automata with just three 
continuous variables xi,X 2 ,x^, and activity predicates of only the two forms 
(xi =Xi) A Ai={2,3}(^i and Ai={l,2,3}(^i = +M). 

Of course, there are lucky cases where the set of reachable hybrid states 
stabilizes finitely, i.e. where n G N exists s.t. for each o' G A, the formula 
Reach^R characterizing the continuous state set reachable in at most n steps 
within discrete state o' is logically equivalent to its successor ReachfR^^ . In such 
cases, these finite approximations of the reachable hybrid state set cannot only be 
used for falsifying safety properties (as in the semi-decision procedure of Lemma 
1), but also for verifying safety. However, as the undecidability result shows, such 
stabilization need not occur. Therefore, this analysis, which is supported e.g. by 
the HyTech tool [3], is only a partial remedy. 
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3 Noise in hybrid automata 

Let us step back for a moment and take a philosophical perspective on the 
problem just encountered. Unlike finite automata, where the full reach set can 
always be constructed in a finite number of steps, namely at most the size of 
the state space, the reach set of hybrid automata need not converge finitely. 
This suggests that hybrid automata are indeed infinite state systems, where the 
infinite memory is provided by the continuous state components. However, real 
hybrid systems are always subject to noise, and thus one might suspect that 
their continuous components can provide only finite memory. If so, they would 
in fact be finite state system, with the size of the state space being the product 
of the size of the discrete state space and the effective size of the continuous 
state space modulo noise. 

But then, the reach set computation of hybrid automata modeling real sys- 
tems should also converge finitely, just as with finite automata, yielding decid- 
ability of state reachability and safety. And, vice versa, any hybrid automaton 
for which safety cannot be determined finitely would then be an unrealistic one 
which crucially relies on complete absence of noise for realizing an infinite state 
set. We conjecture that the reach set of such a hybrid automaton is practically 
uninteresting in that it changes drastically under even the slightest disturbance. 

It is the theme of the remainder of this article to make these ideas operational. 
In particular, we devise a new procedure for determining state reachability in 
polynomial hybrid automata which may fail only on extremely noise-sensitive 
borderline cases. Non-termination of this procedure may only occur with hybrid 
automata that cannot reach the questioned states, yet may reach them under 
even the slightest disturbance. Thus, safety (in the sense of not reaching an 
undesirable state) of these automata is practically uninteresting as it crucially 
depends on complete absence of noise, and therefore is just a fiction. 



3.1 A simple model of noise 

We begin by formalizing a simple model of noise in hybrid automata. Within 
this model we assume that noise will leave the discrete state set and transitions 
unaffected, but will make the evolution phases more nondeterministic. I.e., given 
a hybrid automaton 

A = {U,x,{acta)aeu,{tro-nSa^a')a,a'eu,{'>'nitiala)aeu,{safe^)aeu) , 
a disturbed variant of A is any hybrid automaton 

A = (U,x, (initial , (safe^)^^jj) 

with act^ ^ act^ for each a G U. 

Now assume that the continuous state space comes equipped with a first- 
order definable metrics dist, with dist(x,y) being its definition in F0L(1R,+, x). 
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Furthermore, let e be a first-order definable constant in lR>o. We say that a 
disturbance ^4 of ^4 is a disturbance of noise level e or more wrt. dist iff 

3y . (act(j[y/x] A distfx.,y) < e) ^ acta (2) 



for each a € U. Thus, evolution phases can drift away within at least an open 
ball of radius e under such disturbances. It seems reasonable to assume that 
within any realistic noise field such disturbances exist for some sufficiently small 

Obviously, a disturbance will yield additional possible behaviours, possibly 
leading to otherwise unreachable states. In particular, the disturbed system 
yields an overapproximation of the undisturbed system. It comes as a surprise 
that, under fairly mild extra conditions, such an overapproximation can be con- 
structed within a finite number of steps, as the following lemma shows. 

Before we can turn to this central lemma, we have to define the crucial notion 
of sets of strongly finite diameter. 

Definition 1 (Strongly finite diameter). Let S C We say that S has 
finite diameter wrt. the metrics dist iff dist {x^y) \ x,y £ S} < oo. We say 
that S has strongly finite diameter wrt. the metrics dist iff for any e > 0, each 
subset F Q S containing only points that have a mutual distance of at least e is 
finite, i.e. \/ e > 0, P C S . (Vx,yeP. [x ^ y ^ dist{x,y) > e) ^ |P| < oo). 

Note that the notions of finite diameter and strongly finite diameter coincide 
for most of the “natural” metrics on R'^, like Euclidean distance, maximum- 
norm, and taxi-cab metrics, yet differ for some others, like discrete metrics or 
the so-called radar-screen metrics. 

In the following, let Al be a hybrid automaton, e > 0, and Al be a disturbance 

— — <n 

of A of noise level e or more. By Reach^, we denote the predicate obtained 

- — — <n 

from the defining equation (1) when applied to A instead of A. Thus, Reach^, 
is a formula in FOL(R,+,x) formalizing the continuous states reachable by 
the disturbed automaton A within discrete state a' . Finally, we denote in the 
remainder for any FOL(R, +, x (-formula 4> by |0]x the subset 



I (ci, . . . , c,i) G R'^ 1 (D [xi c\, . . . , Xd Cd] \= (f foT some valuation 1 1 



of R^'. 

^ Concerning the range of applicability of the model, it is worth noting that for the 
theory exposed in the remainder, the fact that every activity is subject to drift of at 
least e for some e > 0 is not essential. While we have chosen such a model in order 
to simplify exposition, the theory itself can be easily extended to the more general 
situation that only every cycle in the discrete state space of the hybrid automaton 
(i.e. every alternating sequence of activities and transitions going from some discrete 
state a via other discrete states back to a) contains at least one activity with drift 
of at least e. 
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Lemma 2 (Finite overapproximation). Assume that the reach set RSa = 

— — <n - 

[j^^j^lReaeh^ lx of A has strongly finite diameter wrt. the metries dist. Then 

there zs i e IN s.t. the dynamics of the undisturbed hybrid automaton A is eon- 



traeting on \Reaeh^ ]x, i-e. 



\f 3 Xi , X2 . 



^ Reaeh^, [xi /x] A ^ 

tr ans a' ^ a [^1,^2/ x,x] A 
\aeta[x2/ x] / 



<i 



^ Reaeh^ 



(3) 



holds for each a e U. I.e., there is some i e N s.t. the state space reachable in 
the disturbed automaton A within i steps is elosed under any possible evolution 
of A. 

Proof. We use contraposition and show that RScr does not have strongly finite di- 
ameter if (3) is invalid for all z € IN. Therefore, we start from the assumption that 

outi “'(3) is satisfiable for each z 6 IN. We will show that this implies existence of 
an infinite set P C RScr of ^-separated points, which implies that RScr does not have 
strongly finite diameter. An appropriate P is defined as Ui6N{P»} with pi being an 
arbitrary element of |omA]x. Note that for each z 6 IN such a pi exists due to satisfia- 
bility of outi. It remains to be shown that 

(a) P C RScr, (b) P is infinite, and (c) P contains only ff-separated points. 

For both (b) and (c) it suffices to show that dist{pi,pj) > e for z < j. The key argu- 
ment towards this is illustrated in Fig. 1. For a formal proof, we show that p G [outijx 

<i+l 

implies that p' G {Reachi^ ]x for each p' with dist{p,p') < ff. Therefore observe that 
by definition 



[Def. of Reachcr ^ ] 



[Property (2) of act] 



[Def. outi] 



<i-(-l 

^Rcdcho- J> 



[ V 3X1, X2. 

cr' 



^ Reachcr' [x.i/:x.] A '' 

tranScr'^cr[xi,X2/ x,x]A 
\actcr[x.2/ x] / 



D 



D 



[ Y 3 xi,x 2 ,y. 

cr' EU 






( Reachij' [xi/x| A 
tranScr'^cr\xi,'x.2/ x,x]A 
act,r[x2,y/ x,x] A 
\dist(x,y) < £ J 



p-(S;K!G)i 



G IR”^ dist(p,p) < £ for some p G [omA]x| . 



<i+l 

Hence, p G [omAJx and dist{p,p) < £ implies p G [Reach~ ]x. In particular 



dist{pi,p ) < £ implies p G [Reach~ ] 



(4) 
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Point O Point 1 Points 2 and 3 





Fig. 1. Constructing an infinite set of e-separated points in phase-space. Points pi 

are selected s.t. pi 0 {Reach^ ]x, yet is reachable from [Reach^ ]x under a transi- 
tion followed by an activity of the undisturbed automaton A. Consequently, the dis- 
turbed automaton A may under the same transition and the corresponding activity 

reach any point within the e-ball around pi s.t. this neighborhood is fully covered by 



IReach^ ]x. Hence, for j > i, point Pj has a minimum distance of e from pi. 



As dist{pi,pi) = 0, this shows that pi e [Reach^ ^ ]x ^ RSa and thus proves (a). 
Furthermore, if i < j then pj 0 [Reachii^ ^ ]x can be inferred from the fact that by 

<i+l 

definition pj 6 [out^Jx and outj entails -iReach^ , which in turn entails ^Reach^ 
as i + 1 < j. Therefore, (4) yields dist{pi,pj) > e for i < j, which proves (b) and 
(c). □ 

Furthermore, it is easy to see that such an i € N with the property that 
the state space reachable in the disturbed automaton A within i steps is closed 
under any possible dynamic evolution of A can be determined effectively. 

Corollary 1. If the reach set RSa of A has strongly finite diameter for each 
a £ E, then an i € IN can be effectively determined s.t. property (3) holds for 
each a £ E . 

Proof. For each i 6 IN, property (3) is a formula of F0L(1R, +, x) and thus decidable. 
Hence, by e.g. p-recursion, an i 6 IN s.t. property (3) holds for each a 6 A can be 
determined effectively iff there is such an i. However, existence of an i 6 IN s.t. property 
(3) holds is guaranteed by Lemma 2. □ 

Now assume that we have determined an i € N such that the state space 
reachable in the disturbed automaton A within i steps is closed under any pos- 
sible evolution of A. As the state space reachable by A within i steps trivially 
covers the initial state set of A and thus of A, closure of this state space un- 
der the possible dynamic evolutions of A implies that this state space covers all 
states reachable by A. This yields the following corollary: 

Corollary 2. If the reach set RSa of A has strongly finite diameter for each 
a € E, then an f € N can he effectively determined s.t. for each a <E E 

(J |i?eac/iy”]x C iReachf ]x . 
nelN 
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Proof. By Cor. 1 an i 6 IN satisfying property (3) can be effectively determined if the 
reach set RScr of A has strongly finite diameter for each a E U. Now, property (3) 

for each a E. S implies that R [Reach^ ]x is closed under the possible 

evolutions of A. As R contains any initial state of A and thus of A, this implies that 

<Ci 

R covers all reachable states of A. Therefore, C iReach^ ]x for each 

ae s. " □ 

This implies that if A is safe and its reach set has strongly finite diameter then 
we obtain within a finite number of iterations — and thus effectively — a witness 
for safety of A. 

Now assume that the safety condition is such that it implies strongly finite 
diameter of the reachable state set, i.e. that Isa/e^^Jx has strongly finite diameter 
for each a £ S. This gives rise to the peculiar situation that falsification of A 
and verification of A become tightly coupled: 

Corollary 3. If safety implies strongly finite diameter, i.e. if Isa/e^^Jx has 
strongly finite diameter for each a G then either the disturbed automaton 
A is unsafe (which can he determined effectively) or safety of the undisturbed 
automaton A can be determined effectively. 

Proof. We distinguish the two cases that either the reach set RSa of A has strongly 
finite diameter for each cr G A', or not. In the first case there is an i G IN satisfying 
property (3) for each a (z S due to Cor. 1. In the second case, the premiss that safety 
implies strongly finite diameter implies that 3 x, x . Unsafe^ holds for some i G IN. As 
both (3) and 3 x,x. Unsafe^ are decidable formulae, the minimum f G IN such that 

A,xev(3) V 3 x,x. UnsafCi (5) 

can be determined effectively in either case. 

Once such an i has been determined, it remains to check the (decidable) property 

3 x,x. Unsafe^ . If it holds then A is unsafe. Otherwise (5) implies that (3) holds for 



each a G A. But then, according to Cor. 2, A [Reach~ ]x , which 

implies 

U„e]N[^e®cft|"]x C [sa/ejx , 

as 3 x,x. Unsafe^ does not hold. I.e., A has then been shown to be safe. □ 

An illustration of the verification procedure outlined in above corollary can be 
found in Fig. 2. 

Now, let us take a look at what is a pragmatically reasonable correctness 
criterion for hybrid systems. It is pragmatically clear that a system should not 
be called safe if no more than the slightest disturbance is necessary to render it 
unsafe. This motivates the following definition of robustness. 

Definition 2 (Robustness). A hybrid system is called fragile if it is safe, yet 
any disturbance of arbitrarily small positive noise level is unsafe. All other hybrid 
systems are called robust. I.e., a hybrid automaton A is robust iff it is unsafe or 
there is an e > 0 and a safe disturbance A of noise level e or more. 

® Note that for Euclidean distance or equivalent metrics, this condition is equivalent to 
the safety region being finitely bounded, a case frequently encountered in practice. 




136 



M. Priinzle 




Fig. 2. Verification using the technique of Cor. 3. Top left: A hybrid automaton A. Top 
right: Some steps of its reach set computation. Bottom: Reach set computation for a 
disturbed variant of noise-level 1 under the max. norm. Shaded parts denote [Reac/i^ ]x 
while solid colour denotes the states reachable by the undisturbed automaton from 

[Reac/ijf Note that reach set computation neither terminates for A nor for its 

<2 

disturbed variant, yet A is contracting on IReach^ ]x. 



As practical interest clearly is in robust systems only, the following theorem, 
which states that robust systems can (at least in principle) be automatically 
verified, is a strong result. 

Theorem 1 (Decidability of reachability for robust systems). If A is a 

robust hybrid automaton, and if safety implies strongly finite diameter, then it 
is decidable whether A is safe. 

Proof. A semi-decision procedure for A being unsafe has already been devised in 
Sect. 1. Hence, it remains to establish a semi-decision procedure for safety of robust 
automata. This can be done as follows: 

1. Select some n 6 IN. 

— (J0f 

2. Build the hybrid automaton A = Ai_, where for arbitrary h > 0, 
with acta^ 3y . acta\y/'x\ A dist(x,y) < S . 
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3. Using Cor. 3, determine whether A is unsafe or A is safe. In the former case select 
a strictly greater n E IN than before and redo from step 2. Otherwise a witness for 
safety of A has been found. Terminate successfully. □ 

Now, given the fact that robust systems can be automatically verified, it remains 
the question whether robustness can be automatically detected. 

Corollary 4 (Undecidability of robustness). It is undecidahle whether a 
hybrid automaton is robust or fragile, even when we restriet interest to safety 
predieates that imply strongly finite diameter. It is, however, semi- decidable in 
the latter case. 



Proof. Let us restrict attention to safety predicates that imply strongly finite diam- 
eter. All fragile systems are by definition safe (cf. Def. 2). Hence, safety of a hybrid 
automaton is trivially decidable once it is known to be fragile. Likewise, by the extra 
condition on safety predicates, safety of a hybrid automaton is decidable due to theo- 
rem 1 once it is known to be robust. Consequently, decidability of being robust would 
imply decidability of safety for arbitrary hybrid automata. However, state reachability 
and thus safety is undecidable even for linear hybrid automata with finitely bounded 
state space (where safety trivially implies strongly finite diameter wrt. e.g. Euclidean 
distance) [4], and therefore robustness is undecidable. 

It is, however, semi-decidable by a minor variation of the decision procedure of 

theorem 1: a hybrid automaton A is robust iff it is either unsafe or there is some noise 

level e > 0 and some disturbed variant A of noise level e or more that is safe. However, 

in the latter case A also has a disturbed variant of positive noise level that is not only 

safe, but also robust itself, e.g. the automaton A|. Therefore, a hybrid automaton 

A is robust iff it is either unsafe or there is some noise level e > 0 such that As is 

2 

robust and safe. The first case is semi-decidable by the semi-decision procedure for 
being unsafe devised in Sect. 1, while the latter case is semi-decidable by applying the 
semi-decision procedure for safety of robust automata of Theorem 1 to the automata 
for successively smaller n. □ 

The undecidability result, while disappointing, should nevertheless be no serious 
obstacle in practice. It is good engineering practice to make systems tolerant 
against noise. Thus, any well-engineered system should be robust s.t. the decision 
procedure of theorem 1 comes to an answer. A simple sufficient criterion for 
robustness is nevertheless currently unknown. This comes as no surprise, as the 
same applies even for the related notion of robustness of timed automata [6]. 
However, robustness of timed automata is decidable. 

Even without decidability of robustness, it is in principle possible to compute 
the exact noise margin that a hybrid automaton can cope with. Here, the noise 
margin that a hybrid automaton A can cope with is defined as 



Noisemargin{A) = sup 



|e > 0 



A has a safe disturbance A 
of noise level e or more 



with sup 0 0, for the sake of completeness. 

Theorem 2 (Computability of robustness margins). For any hybrid au- 
tomaton A where safety implies strongly finite diameter, the maximum noise 
margin Noisemargin{A) that A can cope with can be computed effectively (in the 
sense of computable real numbers). 
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Proof. We use the following definition of computable real numbers: a real number x 
is computable iff there is an algorithm that given as input a positive rational number 
denoting the desired precision yields an approximation of x of at least that precision. 
I.e., given any rational number (5 > 0 it yields a rational number x with x—S < x < x+6. 
To achieve this, it suffices to have an effective procedure that determines for every pair 
a < 6 of rational numbers whether x <b or x > a in the following sense: if a < x < b 
then it may give an arbitrary answer; if however x < a (x > b, resp.) then it gives the 
definitive answer x < b (x > a, resp.). 

Such a procedure exists for the noise margin: ft suffices to apply Cor. 3 to the two 
automata Aa and Ab instead of A and A. The decision procedure outlined there will 
either prove Aa to be safe, in which case Noisemargin{A) > a follows, or proves At to 
be unsafe, in which case Noisemargin{A) < b follows. □ 

4 Practical modelling issues 

Let us finally take a pragmatic attitude towards hybrid system modelling. To 
this end, we would like to abstract from the impact of noise on the continuous 
components in a similar way as is generally done for the discrete components in 
finite-state modelling. The digital model used for modelling digital components 
as finite state systems is inherently approximative, as low probability deviations 
— e.g., due to noise — from the ideal digital behaviour are simply neglected. 
Thereby, no identifiable threshold probability is used for distinguishing effects 
that are to be modelled from those which may be neglected. Instead, a wide 
variety of thresholds is accepted in favor of a uniform model, ranging from the 
extremely low probability of noise-induced error within synchronously clocked 
subsystems to the far higher probability of error at the interface to an asyn- 
chronous environment occurring due to metastable states — known as synchro- 
nization failure [1]. This leads to the effect that some unmodelled behavioural 
aspects may well have higher overall probability than some of the modelled ef- 
fects. 

There is no reason to be more demanding wrt. modelling of the continuous 
behaviour than wrt. discrete behaviour. I.e., just as with discrete transitions 
the model-builder may freely include or exclude some of the low-probability 
effects. However, instead of letting the model-builder do the selection we may as 
well let the verification algorithm do so itself. I.e., the model builder is asked to 
devise both a hybrid automaton A excluding all (or most) low-probability effects 
of noise on the continuous components and a hybrid automaton A including 
all (or most) low-probability effects. This would apparently lead to A being a 
disturbance of A of noise level e or more for some e > 0. As we do not really 
care for the low-probability effects, the verification algorithm is then deliberately 
free to construct an arbitrary intermediate model and to decide its safety. I.e., 
we insist that our verification procedure gives a positive answer whenever both 
A and A (and hence all intermediate models) are safe and a negative answer 
whenever both A and A (and hence all intermediate models) are unsafe. But we 
will accept any answer if A is safe and A is unsafe. 

This might look like a complication, but in fact ideally fits the verification 
procedures outlined in Sect. 3: if safety implies strongly finite diameter then 
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above proof obligation can be discharged automatically according to Cor. 3. I.e., 
given such a pragmatic modelling discipline, the safety verification problem for 
linear or polynomial hybrid automata can be solved fully automatically in the 
important case of a bounded safety region. 

Practitioners may object that practical problems with tools like HyTech [3] 
are not primarily caused by nontermination of the verification procedure due 
to the inherent undecidability of state reachability. Often, problems arise due 
to the extremely large number of iterations needed until the reachable state set 
stabilizes and due to the numerical precision needed for representing those inter- 
mediate state sets. However, the pragmatic modelling discipline sketched here, 
together with the verification technology of Cor. 3, helps overcome these other 
problems also. First of all, less applications of the transition relation and the 
evolution predicates are generally needed for constructing an overapproximation 
with Cor. 3 than for reaching the fixed point in an incremental calculation of 
the reachable state space. Second, we may reduce the precision needed in the 
calculations as we may freely replace A by a slightly less disturbed variant B of 
A that upon each activity applies some rounding discipline to the corner points 
of the reachable state sets in order to reduce the necessary numerical precision. 

5 Discussion 

We have been able to show that safety of linear and polynomial hybrid automata 
can be decided algorithmically in most practically interesting cases featuring 
a bounded (or at least strongly finite wrt. some metrics) safety region. The 
remaining cases are such that their safety depends on the complete absence of 
noise and, furthermore, apply dissimilar approximation schemes for modelling 
the discrete and continuous parts of the system, as explained in Sect. 4. 

Instrumental to that success has been the insight that a common proof pat- 
tern of undecidability results for hybrid-systems formalisms does rely on arte- 
facts of the formalization rather than on an encoding of inherent complexity of 
the design problem. In a nutshell, those proofs rely on storing infinite informa- 
tion, namely an encoding of the state set of a counter automaton, by continuous 
variables of bounded range, whereas only a finite part thereof can become effec- 
tive in any embedded control application due to the ubiquity of noise. We have 
shown that already with a simplistic model of noise, combined with a pragmatic 
attitude towards thresholds for noise being considered relevant, the problem of 
undecidability can be overcome. In this sense, an ounce of realism can save an 
infinity of states in the analysis of hybrid systems. 

However, it may be argued that the model of noise employed in Sect. 3 is too 
simplistic. Indeed, a realistic model of noise should better be quantitative, repre- 
senting noise as a probabilistic process. Within this article we have deliberately 
refrained from this, as such a model would hardly yield any practical verifica- 
tion procedure due to the large computational overhead caused by calculating 
the density function when iterating the probabilistic transition and evolution 
steps. I.e., in contrast to the positive effects on the practical complexity of the 
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Abstract. The paper deals with the proof method of verification by aug- 
mented finitary abstraction (vaa), which presents an effective approach 
to the verification of the temporal properties of (potentially infinite- 
state) reactive systems. The method consists of a two-step process by 
which, in a first step, the system and its temporal specification are com- 
bined an then abstracted into a finite-state Biichi automaton. The sec- 
ond step uses model checking to establish emptiness of the abstracted 
automaton. 

The VAA method can be considered as a viable alternative to verification 
by temporal deduction which, up to now, has been the main method 
shown to be complete for the verification of infinite-state systems. 

The paper presents a general recipe for the abstraction of Biichi automata 
which is shown to be sound, where soundness means that emptiness 
of the abstract automaton implies emptiness of the concrete (infinite- 
state) automaton. To make the method applicable for the verification of 
liveness properties, pure abstraction is sometimes no longer adequate. We 
show that by augmenting the system by an appropriate (and standardly 
constructible) progress monitor, we obtain an augmented system, whose 
computations are essentially the same as the original system, and which 
may now be abstracted while preserving the desired liveness properties. 
We then proceed to show that the vaa method is sound and complete for 
proving all properties expressible by temporal logic (including both safety 
and liveness). Completeness establishes that whenever an infinite-state 
Biichi automaton has no computations, there exists a finitary abstraction 
which abstracts the automaton, augmented by an appropriate progress 
monitor, into a finite-state Biichi automaton with no computations. 



Keyword: Verification, Abstraction, Deduction, Infinite-Systems, Fair Discrete 
Systems, Completeness, Linear Temporal Logie, Liveness properties. 

1 Introduction 

When verifying temporal properties of reactive systems, the common wisdom is: 
if it is finite-state, model-check it, otherwise one must use temporal deduction, 
supported by theorem provers such as STep, pvs, etc. The study of abstraction 
as an aid to verification demonstrated that, in some interesting cases, one can 
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abstract an infinite-state system into a finite-state one. This suggests an alter- 
native approach to the temporal verification of infinite-state systems: abstract 
first and model check later. 

In this work, we present a general framework for abstracting an arbitrary 
(infinite-state) reactive system T> and its specification expressed as a linear tem- 
poral logic (ltl) formula ip, to a finite state problem that can be model-checked. 
The unique features of this abstraction method is that it takes full account of all 
the fairness assumptions (including strong fairness) associated with the system 
T> and can, therefore, establish liveness properties, in contrast to most other 
abstraction approaches that can only support verification of safety properties. 

Applying the method of finitary abstraction for the proofs of liveness proper- 
ties, we find that, sometimes, pure abstraction is no longer adequate. For these 
cases, it is possible to construct an additional module M, to which we refer as 
a progress monitor, such that the augmented system T> ||| M has essentially the 
same set of computations as the original T> and can be abstracted in a way which 
preserves the desired liveness property. We refer to this extended proof method 
as the method of verification hy augmented abstraction (vaa). We proceed in 
showing that the VAA method is both sound and complete, thus promoting it to 
the status of becoming an alternative to the verification of infinite-state systems 
by temporal deduction. 

Our presentation takes the automata-theoretic approach to program verifica- 
tion. This approach reduces the verification problem to the emptiness problem 
of Biichi automata. The approach was first developed for finite state programs 
[VW86], then augmented to deal with infinite-state programs in [Var9f]. 

We represent the verified system by a fair discrete system (fds) which is 
an infinite-state Streett automaton. The negated LTL property is represented 
by a tester which is an infinite-state multi-Biichi automaton. We form the syn- 
chronous composition of the two automata and transform the resulting FDS into 
a Biichi discrete system (bds), which is an infinite-state Btichi automaton A. 
Following the automata theoretic approach, we have to prove the emptiness of 
A. Using abstraction, we transform the problem of checking the emptiness of an 
infinite-state automaton (^) into the emptiness problem of a finite automaton. 
Our completeness result means that every infinite state Btichi automata can be 
abstracted into a finite state automaton, with a weak preservation of the emp- 
tyness property. Equivalently, every LTL property on an infinite-state program, 
can be transformed by augmented abstraction into the problem of emptiness of 
a finite automaton. 

The idea of using abstraction for simplifying the task of verification is cer- 
tainly not new with us. Even the observation that, in many interesting cases, 
infinite-state systems can be abstracted into finite-state systems which can be 
model checked has been made before. The main contributions of the paper can 
be summarized as 

• Observing that for some verification tasks involving liveness, pure abstrac- 
tion is inadequate, and devising the method of verification hy augmented 
abstraction (vaa). 
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• Establishing a (remarkably simple) deductive rule for proving emptiness of 
a simple (Biichi) FDS, which is an infinite-state automata with Biichi accep- 
tance conditions. 

• Establishing completeness of the vaa method. 

1.1 Related Work 

There has been an extensive study of the use of data abstraction techniques, 
mostly based on the notions of abstract interpretation (a partial list [CC77], 
[CH78], [CGL94], [CGL96] [DGG97]). Most of the previous work was done in a 
branching context which complicates the problem if one wishes to preserve both 
existential and universal properties. None of these articles considers explicitly 
the question of fairness requirements and how they are affected by the abstrac- 
tion process. Approaches based on simulation and studies of the properties they 
preserve are considered in [BBLS92] and [GL93]. A linear-time application of ab- 
stract interpretation is proposed in [BBM95], applying the abstractions directly 
to the computational model of fair transition systems which is very close to the 
FDS model considered here. However, the method is only applied for the verih- 
cation of safety properties. Liveness, and therefore fairness, are not considered. 

In [MP91a], a deductive methodology for proving temporal properties over 
inhnite state system is presented. This methodology, based on a set of proof 
rules, is proved to be complete, relative to the underlying assertion language. 
This proof rules and the completeness proof are based on the fts computation 
model [MP91b]. The translation of the rules and completeness proof to the fair 
discrete system (fds) model is presented in [KP98]. 

Verihcation diagrams, presented in [MP94], provide a graphical representa- 
tion of the deductive proof rules, summarizing the necessary verihcation con- 
ditions. A verihcation diagram is a hnite graph, which can be viewed as a h- 
nite abstraction of the verihed system, with respect to the verihed property. In 
[BMS95], [MBSU98], the notion of a verihcation diagram is generalized, allowing 
a uniform verihcation of arbitrary temporal formulas. The GVD can be viewed as 
an abstraction of the verihed system which is justihed deductively and verihed 
by model checking. The GVD method is also shown to be sound and complete. 
The abstraction constructed by this method is based on the fts computation 
model, and can be viewed as an cu-automaton with either Street ([BMS95]) or 
Muller ([MBSU98]) acceptance condition. A dual method to VD and GVD is the 
deductive model checking (dmc) presented in [SUM96]. Similar to VD and GVD, 
this method tries to verify a temporal property over an inhnite state system, 
using a hnite graph representation. The method is demonstrated to terminate 
on many inhnite state systems, but is not shown to be complete. An (LTL-based) 
general approach to abstraction has been independently developed in [Uri99]. 

An important development in the theory and implementation of verihcation 
by hnitary (and other types of) abstraction is reported in [BL098]. The paper 
describes the support system In Vest, which employs various heuristics for the 
automatic generation of hnitary abstractions for a given system. InVest has 
managed to compute automatically the abstraction presented in our example 
Fig. 9. 
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2 A Computational Model: Fair Discrete Systems 

As a computational model for reactive systems, we take the model of a fair 
discrete system (fds). An fds V : {V, 0 ,p,J,C) consists of the following com- 
ponents. 



• V = {tti, ...,Un} : A finite set of typed system variables, containing data and 
control variables. The set of states (interpretation) over V is denoted by E. 

• O : The initial eondition - an assertion characterizing the initial states. 

• p : A transition relation - an assertion p{V, V'), relating the values V of the 
variables in state s G A to the values k' in a 2?-successor state s' G A. 

• J = {Ji, . . . , Jk} ■ A set of justice requirements {weak fairness). The jus- 
tice requirement J G is an assertion, intended to guarantee that evjery 
computation contains infinitely many J-states (states satisfying J). 

• C = {{pi,qi), ■ ■ ■ {Pn,qn)} ■ A set of compassion requirements {strong fair- 
ness). The compassion requirement {p, g) G C is a pair of assertions, intended 
to guarantee that every computation containing infinitely many p-states also 
contains infinitely many g-states. 

We require that every state s G A has at least one P-successor. A computation 
of an FDS T> is an infinite sequence of states a : sq, si, S 2 , ..., satisfying the 
requirements: 



• Initiality: 

• Consecution: 

• Justice: 

• Compassion: 



So is initial, i.e., sq \= 0. 

For each j = 0,1, ..., the state s^+i is a P-successor of Sj. 
For each J E J', a contains infinitely many J-positions 
For each (p, g) G C, if ci contains infinitely many p-positions, 
it must also contain infinitely many g-positions. 



We denote by Comp{T>) the set of all computations of T>. An fds T> is called 
feasible if Comp{'D) ^ 0. The feasibility of a finite-state FDS can be checked 
algorithmically, using symbolic model checking, as presented in [KPR98]. A state 
is called V-reachable if it appears in some computation of T>. 

Let U C y be a set of variables. Let a be an infinite sequence of states. 
We denote by a f|(7 the projection of a onto the subset U. We denote by 
Comp{V) fj.(7 the set of computations of T>, projected onto the set of vari- 
ables U. Let Vp. (y-i, 0 \, p\,J\,C\) and T>2'. (V 2 , 02 , P2,J2,C.2) be two fds’s and 
U C ViC\V2. We say that D\ is U -equivalent to T>2 {T>\ V2) if Comp{T>i)ifu = 

Comp{'D2)lfu ■ 

All our concrete examples are given in spl (Simple Programming Language), 
which is used to represent concurrent programs (e.g., [MP95], [MAB+94]). Every 
SPL program can be compiled into an FDS in a straightforward manner (see 
[KPR98]). The predicates aAf'o and at-kf stand, respectively, for the assertions 
7Tj = 0 and 7 t' = 1, where tTj is the control variable denoting the current location 
within the process to which the statement belongs. 
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2.1 Synchronous Parallel Composition 

Let T>i : (Li, ©i , pi, Ji,Ci) and 1^2 : (L 2 , © 2 , /O 2 , >72,^2) be two fair discrete sys- 
tems. We define the synchronous parallel composition of and V 2 , denoted by 
T>i \\\T> 2 , to be the system T>: {V,0,p,J,C), where, 

V = Vi U V 2 O = A 02 P = Pi P 2 U 1/2 C = Cl U C 2 

As implied by the definition, each of the basic actions of system T> consists 
of the joint execution of an action of T>i and an action of T> 2 . We can view 
the execution of T> as the joint execution of T>i and T> 2 . The main use of the 
synchronous parallel composition is for coupling a system with a tester which 
tests for the satisfaction of a temporal formula, and then checking the feasibility 
of the combined system. In this work, synchronous composition is also used for 
coupling the system with a monitor, used to ensure completeness of the data 
abstraction methodology. 

2.2 Prom FDS to JDS 

An FDS with no compassion requirements is called a just discrete system (jDs). 
Let T> ■. iy,0,p,J ,C) be an fds such that C = {(pi, ),..., (Pm, <Zm)} and 
TO > 0. We define a JDS V ■. (V' ,0' , p' ,J' ,C : 0) which is P-equivalent to T> 
as follows. First we construct to similar JDS’s, T>i, . . . ,T>m, one for each compas- 
sion requirement {pi,q_i) G C. The JDS T>i representing a compassion requirement 
(Pi,qi), is presented in Fig. 1. 




Fig. 1. A JDS T>i for a single compassion requirement {pi, qi) € C 



Each T>i consists of the components Vi = {tti : [0..2]}, initial condition 0i : (tti = 
0), a single justice requirement Ji : (tti > 0) and no compassion requirements. 
The JDS V is given by V : 21|||2?i||| . . . |||Pm. 

2.3 Prom JDS to BDS 

A JDS with a single justice requirement is called a Biichi diserete system (bds). 
Let V : (V, 0, p, J ,C : 0) be a JDS such that J = { Ji, . . . , Jk} and A: > 1. We 
define a BDS B : (kg, 0g, pg, Jg : { J},Cg : 0) which is F-equivalent to T> : 

• bg = L U {tt}, where tt is a new variable not in V, interpreted over [0..A;]. 

• 0g : u = 0 A 0. 
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case 

It = 0 : 1 

ti = * > 0 A J'j : (ti + 1) mod {k + 1) 
true : u 

esac 

• Jb = {J}, where J is the single justice requirement J :{u = 0). 

3 Requirement Specification Language: Temporal Logic 

As a requirement specification language for reactive systems we take linear tem- 
poral logic (ltl) [MP91b]. For simplicity, we consider only the future fragment 
of the logic. Extending the approach to the full logic is straightforward. 

We assume an underlying assertion language £ which contains the predicate 
calculus and interpreted symbols for expressing the standard operations and 
relations over some concrete domains. A temporal formula is constructed out 
of state formulas (assertions) to which we apply the boolean operators and 
V, and the basic temporal operators Q {next) and U (until). A model for a 
temporal formula p is an infinite sequence of states a : so,si,..., where each 
state Sj provides an interpretation for the variables in p. We refer the reader to 
[MP91b, MP95] for the semantics of temporal formulas. 

Given a model a we denote by {(7,j) |= p the notion of a temporal formula 
p holding at a position j > 0 in a. If (cr, 0) |= p, we say that p holds on a, and 
denote it by cr |= p. A formula p is called satisfiahle if it holds on some model. A 
formula p is called valid ((= p), if it holds on all models. Two formulas p and q are 
equivalent (p ~ if p <->■ g is valid. Given an fds T> and a temporal formula p, 
we say that p is V-valid (T> |= p,) if p holds on all models which are computations 
of T>. We say that a temporal formula p is finitary if the vocabulary V of p is 
finite and, for each variable v E V , v ranges over a finite domain. 

Testers for Temporal Formulas 

Given an ltl formula p, we construct a tester If which is a JDS characterizing 
the set of all sequences satisfying p. The variables of If consist of the vocabulary 
of p plus a set of auxiliary boolean variables 

: {xp I p e p a principally temporal sub-formula of p} 

We refer the reader to [KPR98] for the construction of testers. This construction 
was inspired by [GGH94], which is based on the non-symbolic constructions 
[LP85], [VW86]. 

4 Reducing Verification to Infeasibility 

7 

Let T> be an fds and ifhe a temporal property. The verification problem T> \= 
can be reduced to an infeasibility problem, as follows: 

• Gonstruct a tester for the negated property 

• Gonstruct the synchronous parallel composition 2?|||T-,^. 

• Transform the FDS into an equivalent BDS 

Claim 1. T> \= Comp{B(^x>,^ip)) = 0; i-e., B(^x>,^ip) is infeasible [Var91]. 



k 

• Pb'-P{'^,'^') k\\J (u = i) f\u' = 
i=0 
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5 Infeasibility of a BDS: A Deductive Verification 

The standard approach for proving infeasibility of a BDS : 

0) , is to define a ranking function 6 which maps the reachable states of B into a 
well founded domain. The ranking function is required to satisfy the conditions 
that every transition of B does not increase the rank and every transition into 
a state satisfying J, the single justice requirement of B, decreases the rank. 
The (possibly infinite) set of reachable states of B can be characterized (over- 
approximated) by an inductive assertion Lp. In Fig. 2 we present rule WELL, a 
deductive rule that can be used to establish infeasibility of a bds B. 



For an assertion p, 






a single justice requirement J, 






a well founded domain (W, -<), 






and a ranking function S : Sy i— » 


>V 




Wl. 0 






W2. p A p p' 


AS' 


0 S 


W3. p A p A J' ^ p' 


AS' 


-< S 


Comp{B) = 


0 



Fig. 2. Rule well. 

Rule WELL is both sound and (relatively) complete. Soundness of the rule means 
that, given a bds S, if we can find a ranking function 6 and an assertion Lp, such 
that Lp and 6 satisfy the three premises W1-W3, then B is indeed infeasible. 
To see this, assume, to the contrary, that B is feasible. Then B has an infinite 
computation cr: sq, si, . . . , such that for infinitely many states Si in cr, Si \= J. 
Then, from premises W2 and W3, there exists an infinite sequence of states over 
which the ranking function 6 decreases and never increases in any other step. 
Since 6 is defined over a well-founded domain, this is clearly impossible. The 
completeness of rule well is stated in the following claim: 

Claim 2. Let B: {V,0,p,J' : {J},C : 0) be a bds. If B is infeasible, then there 
exist an assertion cp, a well founded domain (W,-<) and a ranking function 
S: Cy i--> W satisfying the premises of rule WELL. 

Proof (sketch).- To prove the claim, we have to find both an assertion cp and a 
ranking function S which satisfy the premises W1-W3 of rule WELL. The proof of 
existence of an assertion cp characterizing the set of all reachable states of a bds 
is presented in [MP91b] (Section 2.5). The existence of a well founded domain 
(W,-<) and ranking function S satisfying the premises W1-W3, is shown in 
[Var91], based on [LPS81] and [GFMdR85]. □ 

Let T> be an fds and tp he a, temporal property such that T> \= tf. Based 
on claims 1 and 2, we can identify an assertion and a ranking function, which 
satisfy the three premises of rule well for the bds B(^x>,^p)- We denote these 
assertion and ranking function by ^ and A, respectively. 
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6 Finitary Abstraction of a BDS 

In this section, we present a general methodology for data abstraction of a bds, 
derived from the notion of abstract interpretation [CC77]. For more details see 
[KP98b]. Let B = {V,0, p, J: {J},C:^) be a bds, and U denote the set of states 
of B, the concrete states. Let a : U be a mapping of concrete states into 

abstraet states. We say that a is a finitary abstraction mapping, if is a finite 
set. To provide a syntactic representation of the abstraction mapping, we assume 
a set of abstract variables and a set of expressions B", such that the equality 
= B'^(V) syntactically represents the semantic mapping a. Let p(V) be an 
assertion. We define the operator o;+, as follows 

a+(p(V)): A p(F)). 

The assertion a^(p) holds for an abstract state S G iff the assertion p holds 
for some concrete state s E S such that s E This can also be expressed 

by the inclusion ||p|| C o^^(||q;^(p)||). Let B = iy,G,p,J = {J},C = 0) be a 
BDS. We define , 0“, p“, the o-abstracted bds, as follows: 

0“ = a+{0) = o;++(p) J'“={q;+(J)} C“ = 0 

where a++{p): 3V,V'{V^ = £'^{V) A TA = ^“(TA') A p{V,V')). 

Claim 3 (Weak Preservation). Comp{B^) = 0 implies Comp{B) = 0. 

As an example, we consider program bakery-2, presented in Fig. 3. 



local yi,y2 '. natural where yi = y2 = 0 



r lo : loop forever do 






r mo ■ loop forever do 






£1 : NonCritical 








mi : NonCritical 






£2 : yi := y2 + l 




II 




m2 : y2 := yi + 1 






£3 : await 1/2 = 0 V yi < y2 








m3 : await yi = 0 V 2/2 < 2 / 1 






£4 : Critical 








mi : Critical 






0 

II 








_ms : 2/2 := 0 





-Pi- - P2- 

Fig. 3 . Program BAKERY-2: the Bakery algorithm for two processes. 



Program BAKERY- 2 is obviously an infinite-state system, since yi and y 2 can 
assume arbitrarily large values. The temporal properties we wish to establish are 
'f’exc ■ □ ^{at-ii A at-rni) and tfacc ■ □(at_t '2 ^ Bf^at-ii). The safety 

property '^fexc requires mutual exclusion, guaranteeing that the two processes 
never co-reside in their respective critical section at the same time. The liveness 
property ifacc requires accessibility for process Pi, guaranteeing that, whenever 
Pi reaches location ^2 it will eventually reach location £ 4 . 

Following [BBM95], we define abstract boolean variables . . . ,Bp,,, 

one for each atomic data formula, where the atomic data formulas for bakery- 2 
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are yi = 0, t /2 = 0, and yi < t/ 2 - The abstract system variables consist of 
the concrete control variables, which are left unchanged, and a set of abstract 
boolean variables Bp^ , Bp^ , ■ ■ ■ , Bp^^ . The abstraction mapping a is defined by 

a-. {Bp^=pi,Bp^=p2,...,Bp^=pk} 

That is, the boolean variable Bp. has the value true in the abstract state iff the 
assertion pi holds at the corresponding concrete state. It is straightforward to 
compute the o-induced abstractions of the initial condition 0“ and the transition 
relation p“. In Fig. 4, we present program Bakery-2 (with a capital B), the a- 
induced abstraction of program BAKERY- 2. 

local By^^o, : boolean initially By^^o = By^^o = = 0 



r to : loop forever do 






r mo : loop forever do 






£1 : NonCritical 








mi : NonCritical 






£2 ■ Byj^^y^) := (0,0) 




II 




m 2 : [By^—O, Byj^^y^) '.= (O, l) 






£3 : await By^^o V By^cy^ 








m 3 : await Byi=o V -^By^<y^ 






£4 : Critical 








niA : Critical 






_ts : {Byi—O, By^<y^) := (l,—'By^—o)_ 








_ms : {By^—o, By^^y^) ■= (1,0) 





-Pi- - P2- 

Fig. 4. Program Bakery- 2: the Bakery algorithm for two processes. 



Since the properties we wish to verify refer only to the control variables 
(through the at-i and at-rn expressions), they are not affected by the abstrac- 
tion. Program Bakery-2 is a finite-state program, and we can apply model 
checking to verify that it satisfies the two properties of mutual exclusion and 
accessibility. By Claim 3, we can infer that the original program BAKERY-2 also 
satisfies these two temporal properties. 

6.1 Augmentation by Progress Monitors 

Program BAKERY-2 is an example of successful data abstraction. However, there 
are cases where abstraction alone is inadequate for transforming an infinite-state 
system satisfying a property into a finite-state abstraction which maintains the 
property. In the following we illustrate the problem and the proposed solution. 

In Fig. 5, we present a simple looping program. The assignment at statement 
£2 assigns to y non-deterministically the values y + 1 or y. The property we wish 
to verify is that program SUB- ADD always terminates. 

A natural abstraction for the variable y is defined by 

Y = if y = 0 then zero else if y = 1 then one else large, 

where y is abstracted into the three- valued domain {zero, one, large}. However, 
applying this abstraction yields the abstract program SUB-ADD-ABS-1, presented 
in Fig. 6, where the abstract functions sub2 and addl are defined by 

sub2{Y) = if T = {zero, one} then zero else {zero, one, large}, 

addl{Y) = if y = zero then one else large. 
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y. natural 
(.0 : while y > 1 do 
'£i:y:=y-2 

i 2 '.y ■■= {y + 1,2/} 

J.3 : skip 



Fig. 5 . Program SUB-ADD . 



Y : {zero, one, large} 
£o : while Y = large do 



~£i 


Y 


= sub 2 {Y) 


£2 


Y 


= [addl (Y),Y} 


J3 


skip 





Fig. 6 . Program SUB-ADD- ABS-1 abstracting program SUB-ADD. 



Unfortunately, program SUB-ADD- ABS-1 need not terminate, because the func- 
tion sub 2 can always choose to yield large as a result. Termination of programs 
like program SUB-ADD can always be established by identification of a progress 
measure that never increases and sometimes is guaranteed to decrease. In this 
case, for example, we can use the progress measure S : y+ at - £2 which never in- 
creases and always decreases on the execution of statement £ 1 . To obtain a work- 
ing abstraction, we first compose program SUB-ADD with an additional module, 
called the progress monitor for the measure 8, as shown in Fig. 7. 



y. natural 



£0 : while y > 1 do 
'£1: y :=y-2 

£ 2 - y ■■= [y + 1,2/} 

£3 : skip 

£4 : 

— SUB-ADD — 



define 6 = y + at- £2 
ine : {— 1 , 0 , 1 } 
mo : always do 

inc := diff{S, S') 

— MONITOR Ms — 



Fig. 7 . Program SUB-ADD composed with a monitor. 



The construct always do appearing in MONITOR Mg means that the assignment 
which is the body of this construct is executed at every step. The comparison 
function diff{8,8') is defined by 

dijf{8,8') = if 8 < 8' then 1 else if ^ then 0 else —1. 

The presentation of the monitor module Mg in Fig. 7 is only for illustration 
purposes. The precise definition of this module is given by the following FDS: 
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: {Vd, inc : 1, 0, 1}} 0:T 

p : inc = dijf{6, S') J : ^ C : {{inc < 0, inc > 0)} 

Thus, at every step of the computation, module Mg compares the new value 
of S with the current value, and sets variable inc to -1, 0, or 1, according to 
whether the value of S has decreased, stayed the same, or increased, respectively. 
This FDS has no justice requirements but has the single compassion requirement 
{inc < 0, inc > 0) stating that S cannot decrease infinitely many times without 
also increasing infinitely many times. This requirement is a direct consequence 
of the fact that S ranges over the well-founded domain of the natural numbers, 
which does not allow an infinitely descreasing sequence. 

It is possible to represent this composition as (almost) equivalent to the 
sequential program presented in Fig. 8, where we have conjoined the repeated 
assignment of module Mg with every assignment of process SUB-ADD. 



y : natural 

inc : { — 1, 0, 1} 

(.0 : while y > 0 do 



-£i 


{y, inc) 


:= {y-2,dijf{S,S'))} 


£2 


{y, inc) 


■= {{y + 1,2/}, diff {5,S')) 


£3 


inc 


■■= diff{6,5')_ 



£4 : 



Fig. 8. A sequential equivalent of the monitored program. 



The abstraction of the program of Fig. 8 will abstract y into a variable Y rang- 
ing over {zero , one , large}. The variable inc is not abstracted. The resulting 
abstraction is presented in Fig. 9. 



Y : {zero, one, large} 

inc : { — 1,0,1} 

compassion {inc < 0, inc > 0) 

£o : while Y = large do 

'£i : {Y,inc) := {sub2{Y), -1) 

£2 ■■ {Y,inc) := {{addl{Y),Y}, {0,-1}) 
£3 : inc := 0 

£4 : 



Fig. 9. Abstracted version of the monitored- Program SUB-ADD-ABS-2. 



The program SUB-ADD-ABS-2 (Fig. 9) differs from program SUB-ADD- ABS-1 
(Fig 6) by the additional compassion requirement {inc < 0,inc > 0). It is this 
additional requirement which forces program SUB-ADD-ABS-2 to terminate. This 
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is because a run in which subl always yields large as a result is a run in which 
inc is negative infinitely many times (on every visit to £\) and is never positive 
beyond the first state. The fact that SUB-ADD-ABS-2 always terminates can now 
be successfully model-checked. 

The extension to the case that the progress measure ranges not over the 
naturals but over lexicographic tuples of naturals is straightforward. 

6.2 The General Structure of a Progress Monitor 

We proceed to define the general structure of a progress monitor and show that 
its augmentation to a verified system is safe. A well-founded domain (W,-<) 
consists of a set W and a total ordering relation -< over W such that there does 
not exist an infinitely descending sequence, i.e., a sequence of the form 

Oq ai 02 ■■■ , 

A ranking function for an fds T> is a, function S mapping the states of T> into a 
well-founded domain. A progress monitor for a ranking function 6 is an fds Mg 
of the following form: 

V : Vx>,ine : { — 1,0,1}}, O : true, 
p : ine' = dijf {6 {Vx>) , 6 {Vf,)) , >7 : 0, C : {{ine < 0,ine > 0)} 

The following claim states that augmentation to a verified system is safe: 

Claim 4- Comp(fD\\\Ms)i{vi,= Comp{T>) 

7 Verification by Augmented Finitary Abstraction 

Let B be an infeasible bds. Let a be an abstraction mapping and ^ be a ranking 
function for B. We say that {a, S) is an adequate augmented abstraction for B if 
a is finitary and Comp{{B\\\Mg)'^) = 0. 

Let T> be an fds, he a temporal property such that T> {= if , and a be 
a finitary abstraction mapping. Let Z\ be a ranking function for Bpp^^py From 
the definition of adequate augmented abstraction and Claim 1, we can say that 
{a. A) is an adequate augmented abstraction for {V, if) iff it is an adequate 
augmented abstraction for i.e., Comp{{B{^^^^y)\\\MA)°‘) = 0- 

We can now formulate the method of verification by augmented finitary ab- 
straction (vaa) as follows. To verify that if is 2?-valid, 

• Construct a tester Ifp for the negated temporal property if. 

• Construct the synchronous parallel composition V\\\lfp of the FDS V rep- 
resenting the verified system and the tester T-^p, and transform it into an 
equivalent bds B(^'p,^p)- 

• Identify an appropriate ranking function A for Bpo^^p), and construct the 
progress monitor Ma- 

• Construct an FDS of the augmented system A : B{p ,^P)\Wa. 

• Abstract the augmented system A into a finitary abstract FDS A“. 

• Model-check Comp{A“) = 0. 

• Infer T> \= if . 

Claim 5 (Soundness). Comp{Bpt>^^p)\\\M'^ = 0 implies V \= if 
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8 Completeness of the VAA Method 

In the following we prove the completeness of the vaa method. First we intro- 
duce the operator ct^, dual to o;+, and establish some useful properties of the 
abstraction mappings and o;++. 

8.1 The oc^ Operator 

The operator a~ , is dual to o;+. Let p{y) be an assertion. The operator a~ is 
defined by , . 

a-{p{V)): W(V,=S-{V) ^ p{V)j. 

The assertion a^{p) holds for an abstract state S E iff the assertion p holds 
for all concrete states s E U such that s E This can also be expressed 

by the inclusion q;^^(||q;^(p)||) C ||p||, where ||p|l and ||o;^(p)|| represent the 
sets of states which satisfy the assertions, respectively. If oT (p) is valid, then 
(p)ll = implying Q;^^(||q;^(p)||) = S which, by the above inclusion, leads 
to IIpII = U establishing the validity of p. 

An abstraction a is said to be precise with respect to an assertion p if a^{p) ~ 
a^{p). A sufficient condition for a to be precise w.r.t. p is that the abstract 
variables include a boolean variable Bp with the definition Bp = p. 

8.2 Properties of a'*' and a'*"*' 

Lemma 1. If a is precise with respect to the assertions pi,. . . ,p„, then a is 
precise with respect to any boolean combination of these assertions. 

Lemma 2. Let p = p{V, V) and q = q{V) be two assertions, such that a is 
precise with respect to q. Then, the following equivalences hold 

A q) ^ a^^{p) A (q) (1) 

a++{p A q')r.^a++{p) A a+(qY (2) 

It also follows from the definitions that if p = p{V), then both o;++(p) ~ o^(_p) 
and o;++(p') ~ o;+(p)' hold without any precision assumptions about p. Finally, 
we observe that if an implication is valid, we can apply the abstractions and 
q;++ to both sides of the implication. That is, 

I • r f 1= a+{p)^a+{q) and 'I , . 

^p^q implies J (3) 

8.3 The Completeness Statement 

Claim 6 (Completeness of vaa). Let 6(75 be an infeasible bds. Then, there 
exists an adequate augmented abstraction for 6(75 

As the ranking function for our augmented abstraction we take A (see Section 5 ). 
Let H denote all the homogeneous atomic state sub-formulas of the invariant 
assertion # and any of the components of A, where A : That 

is, H contains all the atomic state sub-formulas f{V), such that f{V) or f{V) 
appears in or any of the components of A. The set H does not include atomic 
formulas with mixed (primed and unprimed) variables such a,s %/ = y + 1 . 
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Let q; be a finitary abstraction which is precise with respect to all the asser- 
tions appearing in H , and does not abstract the auxiliary variables in X,^ and 
the variable inc, where inc : dijf{A, A'). In the following, we show that for this 
choice of ranking function and abstraction mapping, Comp {A") = 0, that is, the 
abstracted augmented system is indeed infeasible. 

Abstracting the Premises of Rule WELL. 

The proof is based on the abstraction of premises W1-W3 of rule well (Sec- 
tion 5), applied to the bds = {J},C = 0). These three 

premises are known to be valid for our choice of ^ and A. Since A = B(x>^^y)\\\M 
then from the definition of Ma, the components of A are given by 

Oa ■ C : p a inc' = dijf{A, 6') ■ J 0^'- {{inc < 0, inc > 0)} 

Pm^ 

From the implication 

inc' = diff{A,A') ^A' A ^ ^ inc' <0 A A' A A ^ inc' < 0 j 

and the three premises of rule well applied to we can obtain the 

following three valid implications: 

Ul. Oa 

U2. p^ A 4> <P' A inc' < 0 

U3. A # A J' ^ A inc' < 0. 

Based on Equation (3), we can apply o;+ to both sides of Ul and apply o;++ 
to both sides of U2 and U3. We then simplify the right-hand sides, using the 

fact that o;++(p') ~ a^{p)' , and that a does not abstract inc. Next, we use 

the fact that a is precise w.r.t. all the atomic formulas appearing in ^ and J, in 
order to distribute the abstraction over the conjunctions on the left-hand sides of 
the implications. These transformations and simplifications lead to the following 
three valid abstract implications: 

VI. o(6)^) ^ a{<P) 

V2. o;++(p^) A a{<P) a{4>)' A inc' < 0 

V3. o;++(p^) A a{4>) A a{J)' a{<P)' A inc' < 0. 

The augmented System AC has no computations 

We proceed to show that has no computations { Comp{AC) = 0). Assume to 
the contrary. Let cr: sq, si, . . . be a computation of A. 

First we use the implications V1-V3 to show that the assertion a{(p) is an 
invariant of a. Since a is a computation of A“, the first state of a satisfies a{0A) 
and we conclude by VI that the first state of a satisfies o;(#). Proceeding from 
each state Sj of a to its successor s^+i, which must be an o;++(p^ (-successor of 
Sj, we see from V2and V3 that a{d>) keeps propagating. It follows that a{d>) is 
an invariant of a, i.e, every state Si of a satisfies o;(#). 
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Next, since a is a computation of it must contain infinitely many states 
which satisfy a(J). According to implications V2 and V3, the variable inc is 
never positive, and is negative infinitely many times. Such a behavior contra- 
dicts the compassion requirement {inc < 0,inc > 0) associated with A". Thus, 
a cannot be a computation of A“, contradicting our initial assumption. This 
concludes our proof of completeness. 

9 Conclusions 

We have presented a method for verification by augmented finitary abstraction 
by which, in order to verify that a (potentially infinite-state) system satisfies 
a temporal property, one first augments the system with a non-constraining 
progress monitor and then abstracts the augmented system and the temporal 
specification into a finite-state verification problem, which can be resolved by 
model checking. The method has been shown to be sound and complete. 

In principle, the established completeness promotes the vaa method to the 
status of a viable alternative to the verification of infinite-state reactive systems 
by temporal deduction. Some potential users of formal verification may find the 
activity of devising good abstraction mappings more tractable (and similar to 
programming) than the design of auxiliary invariants. However, on a deeper level 
it is possible to argue that this is only a formal shift and that the same amount 
of ingenuity and deep understanding of the analyzed system is still required for 
effective verification as in the practice of temporal deduction methods. 

The development of the vaa theory calls for additional research in the im- 
plementation of these methods. In particular, there is a strong need for devising 
heuristics for the automatic generation of effective abstraction mappings and 
corresponding augmenting monitors. 

Acknowledgment: We gratefully acknowledge the many useful discussions and 
insightful observations by Moshe Vardi which helped us clarify the main issues 
considered in this paper. We also thank Saddek Bensalem for his helpful com- 
ments and for running many of our examples on his automatic abstraction system 
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Abstract. Signed Interval Logic (SIL) is an extension of Interval Tem- 
poral Logic (ITL) with the introduction of the notion of a direction of 
an interval. 

We develop syntax, semantics, and proof system of SIL, and show that 
this proof system is sound and complete. The proof system of SIL is not 
more complicated than that of ITL but SIL is (contrary to ITL) capable 
of specifying liveness properties. Other interval logics capable of this 
(such as Neighbourhood Logic) have more complicated proof systems. 
We discuss how to define future intervals in SIL for the specification of 
liveness properties. 

To characterize the expressive power of SIL we relate SIL to arrow logic 
and relational algebra. 



Keywords: interval logic, temporal intervals, arrow logic, real-time systems, liveness. 



1 Introduction 

Interval logics [4,11,17,19,8,5,22,20,12,2,13,14,6,21] are logics of temporal inter- 
vals: One can express properties such as “if (f) holds on this interval then V' must 
hold on all subintervals” or “cp must hold on some interval eventually” . Interval 
logics have proven useful in the specification and verification of real-time and 
safety-critical systems. 

In this paper we introduce a new kind of interval logic, called Signed Interval 
Logie (SIL), with the introduction of the notion of a direetion of an interval. The 
proof system of SIL turns out to be not more complicated than that of Interval 
Temporal Logic (ITL) [2] but SIL is (contrary to ITL) capable of specifying 
liveness properties. Other interval logics capable of this (such as Neighbourhood 
Logic (NL) [21]) have more complicated proof systems. 

ITL is one of the most simple interval logics; it has only one interval modality, 
the binary chop: . The semantics of is given in Fig. 1. In ITL (and NL) 

intervals are represented by pairs [6, e] (where fe < e) of elements from some 
totally ordered temporal domain of time points. 

* Tel: +45 4525 3764, Fax: +45 4593 0074. 
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We will refer to m of Fig. 1 as the chopping point of . The chopping point will 
always lie inside the current interval on which we interpret a given formula. In 
general, modalities with this property are called contraeting. With contracting 
modalities it is only possible to specify safety properties of a system. This is 
because once we have chosen the interval we want to observe we are restricted 
to specifying properties of this interval and its subintervals. 



b 






e 



b 



m 

— I- 



ip 



e 



Fig. 1. holds on [b, e] iff there exists m G [b, e] such that <f> holds on [b, m] and ip 

holds on [m, e] 

To specify liveness properties, we need to reach intervals outside the current 
interval. In general, modalities which can do this are called expanding. Neigh- 
bourhood Logic (NL) [21] is an example of an interval logic with expanding 
modalities. NL has two modalities and O; for reaching a right neighbourhood 
and a left neighbourhood, respectively, of the current interval. This intuition is 
made more precise in Fig. 2 in the case of <>r- The case of O; is similar. 



b 



Or<P 



e 



n 



Fig. 2. <>r<p holds on [b, e] iff there exists n > e such that <p holds on [e, n\ 

Both ITL and NL include a special symbol I which intuitively represents the 
length of an interval. This property is not common for all interval logics. 

We now turn the attention to the contribution of this paper: SIL is an ex- 
tension of ITL with the introduction of the notion of a direetion (which can 
be either forward or baekward) of an interval. The idea for SIL originates in 
[3] where an interval logic with such a notion of a direction of an interval was 
informally developed. 

An interval with a direction is in SIL represented by a signed interval (6, e). 
Both the pair (6, e) and the pair (e, b) represent the same interval but (e, b) has 
the opposite direction of {b,e). SIL inherits the special symbol £ from ITL. £ now 
gives the signed length of an interval. Intuitively, the absolute value of £ gives 
the length of the interval and the sign of £ determines the direction. 

Like ITL, SIL only has the binary modality But because of the directions 
of intervals, the semantics is now altered: See Fig. 3. On the figure the direction 
of an interval is marked with a small arrowhead in either end of the interval. The 
chopping point can now lie anywhere and not just inside the current interval. 
This means that of SIL has become an expanding modality, hence SIL can 
specify liveness properties. 
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Fig. 3. holds on (h, e) iff there exists m such that <p holds on (b, m) and ip holds 

on (m,e) 

We will in the following shortly consider related work on interval logic. 

In [5] an interval logic with six unary interval modalities is developed, and it is 
shown that they can express all thirteen possible relations between intervals [1]. 
In [19] a complete proof system for the interval logic of [5] is given. [20] considers 
an even more expressive interval logic with three binary modalities instead of 
six unary. A complete proof system for this logic is also given. Unfortunately, 
both the proof systems of [19,20] are somewhat complicated due to the fact that 
they are kept in a propositional setting. In particular, both systems include some 
complicated inference rules. 

NL has also a complete proof system [21]. This proof system is somewhat 
complicated because of “two-level” axiom schemes: Besides being axiom schemes 
in terms of formulas, the axioms are also schemes in terms of interval modalities. 

It is possible in NL to define the six unary modalities of [5] and the three 
binary modalities of [20] as abbreviated modalities [21]. This adequacy result 
relies on NL being a first order interval logic with the special length symbol 1. 
In [15] it is shown that SIL is an adequate first order interval logic by defining 
the modalities of NL as abbreviated modalities in SIL. 

The rest of this paper is organized as follows. Sect. 2, Sect. 3 and Sect. 4 
give the syntax, semantics and proof system of SIL, respectively. In Sect. 5 we 
sketch a proof showing that the proof system of SIL is sound and complete with 
respect to a certain class of models. In Sect. 6 we relate SIL to arrow logic [9] 
and relational algebra [18] to characterize the expressive power of SIL. Sect. 7 
considers how to define future intervals for expressing liveness properties in SIL 
as this was a motivation for the development of SIL. Finally, Sect. 8 considers 
further work on SIL. 

2 Syntax 

The formulas of SIL are constructed from the following sets of symbols: 

Var: An infinite set of variables x,y, z, . . .. 

FSymb: An infinite set of function symbols equipped with arities 

n,m > 0. If /” has arity n = 0 then / is called a constant. Constants will 
be denoted by a,b,c, . . .. 

PSymb: An infinite set of predicate symbols . . . equipped with arities 

n,m > 0. If has arity n = 0 then G is called a propositional letter. 
Propositional letters will be denoted by p,q,r,.... The predicate symbols 
also include the special binary predicate =. 




160 



T.M. Rasmussen 



A function/predicate symbol is either rigid or flexible. In particular, = is rigid. 
The set of terms 0,0i £ Terms is defined by the following abstract syntax: 

0 ::= x\a \ f^{0i,. ■ ■ ,6n) ■ 

The set of formulas £ Formulas is defined by the following abstract syntax: 

4> ::= p\G'^{0i,...,0n)\0i = 02\-'(l)\(l)A'tp\(l)'^''t/j\{3x)(l). 

We also use to denote formulas. A language consisting of variables, 

function and predicate symbols, and the symbols (, ), =, -i. A, and 3 will be 
called a chop-language. 

We use “sentence” as a synonym for “closed formula”. If xi, . . . are the 
free variables of f then we denote (Vxi) . . . (Vx„)(^ the universal closure of 4>. A 
formula is said to be chop-free if it does not contain the symbol A formula 
is said to be flexible if it contains a flexible symbol. Otherwise it is said to be 
rigid. For convenience, we use infix notation for binary functional or predicate 
symbols such as + and <. We will use the standard abbreviations from first 
order predicate logic for the symbols V, o and V. To avoid excessive use of 
parentheses we introduce the following precedences: 1. -i, 2. 3. V, A, 4. 

o, V, 3. 

3 Semantics 

We start by giving a general Kripke-style possible worlds semantics. 

Definition 1. A model At for a chop-language is a quadruple (IF, i?, D, I) where 

— W is a non-empty set of possible worlds and R is a ternary accessibility 
relation on IF, thus if C IF x IF x IF. 

— D is a non-empty set. 

— I is a function assigning an interpretation to each function/predicate symbol 
in each world: 




such that (where w £W ): 

l{a){w)£D, 1 {P){w)£D^^D, 

l{p){w) £ {tt,ff\, G O” ^ {tt,ffl, 

and such that the interpretation of a rigid symbol is the same in all worlds. 

The pair (IF, if) is called the frame and D the domain of the model. Com- 
pared to models of classical modal logic [7] the only difference is that the acces- 
sibility relation is ternary and not binary. 
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Given a model A4 = {W,R,D,1), an M. -valuation is a function V associating 
an element of the domain with each variable, thus V € Var D. 

We denote by A^,V,w \= (p that (f) is satisfied in a world w € IV of a 
model A4 = (W, R, JJ, J) under an A^-valuation V. Satisfaction of formulas is 
inductively defined in a standard way [7]. The only interesting case is that of 
(see [15] for the full definition): 

A4,V, yj iff Al, V,wi 1= ((> and Al, V,W 2 ^ and i?(wi,W 2 ,u;) 

for some wi,W 2 (E W . 

Given a set of formulas T, we say that A4 satisfies T if there is a world w 
of A4 and an Al-valuation V such that for every formula 4> G T, A4,V,w ^ 4>. 
A formula f is valid in A4 if for any world w of A1 and any Al-valuation V, 
A4,V,w ^ (j). 4> is valid in a class of models C if it is valid in all models of C. 

We now proceed by presenting results necessary for defining the class of 
signed interval models which gives the more concrete semantics of SIL. 

Definition 2. A signed temporal domain is a non-empty set T. 

Gontrary to work on (non-signed) interval logic with a general temporal domain 
[5,19,20,2,21] we do not require T to be totally ordered. In the case of SIL we 
can have a completeness result without this requirement and therefore choose to 
define T as general as possible. (But see the remark at the end of Sect. 5.) 

Definition 3. A signed interval frame (IV, i?) on a signed temporal domain T 
is defined by: 

— W = T X T is the set of signed intervals on T . 

— ACIVxIVxIV is the ternary accessibility relation on IV defined by: 

R{{ti,t'i),(t2,t2),{t,t')) iff t = ti,t'l=t2ff2 = i^' ■ 

This definition corresponds to the intuition of signed intervals given in the in- 
troduction. In particular, R expresses that three signed intervals are related as 
indicated in Fig. 3, thus R{{b, m), (m, e), (6, e)). 

We want to be able to refer to the signed length of a signed interval (c.f. the 
discussion in the introduction). For this we define the following: 

Definition 4. Given a signed interval frame (IV, A) on a signed temporal do- 
main T , a signed measure is a function m £ W ^ D where D is a set equipped 
with a binary operator + and a distinguished element 0 e D. Furthermore, m 
has to satisfy the following conditions for any t,t',u,u' G T and x,y e D: 

if rnft, u) = raft, u') then u = u' 
if m{u, t) = mfu! ,t) then u = u' 

M2: m{t, t) = 0 

M3: raft, u) + rn{u,t') = raft, F) 

Mf: rn{t,F) = x Ay iff = x and mfa" ,t') = y for some u" G T 
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We now define which properties a domain of values to represent signed lengths 
should have in general (some of these will be implicitly given by the above 
definition) . 

Definition 5. A signed duration domain is a group {D,+,—,0).^ 

A chop- language which includes the symbols and 0 (where i is flexible 

and +,—,0 are rigid) will be called a signed interval language. 

Definition 6. Given a signed temporal domain T , a signed duration domain D 
and a signed measure m <E T x T ^ D, a signed interval model is a model 
M. = {W,R,D,1) for a signed interval language where: 

— The frame is the signed interval frame (W,R) defined by T. 

— The domain is the signed duration domain D. 

— The interpretation of is sueh that 

I{l){t,t') = m{t,t'), /(0)(f,t') = 0, I{+){t,t') = +, /(-)(t,t') = - 

for any signed interval {t,t') € W. 

The elass of all signed interval models will be denoted by Z. We say that a 
formula 4> is SIL- valid (written |=sil f) if it is valid in Z. 

The semantics of the chop modality can be reformulated if we assume a 
signed interval model: 

M,V,{b,e) \= iff M,V,{b,m) \= (p and M,V,{m,e) \= if 

for some rn € T. This corresponds to the informal semantics given in Fig. 3. 

4 Proof System 

The axioms of SIL are: 

Ai. a-'((A'^97)) ^ ((^'^(V'A-'^?)) 

{(p'~'%p) ^ (p if 0 is a rigid formula 
{(p'^'f) ^ %p if -i/t is a rigid formula 

g {{{3x)(p)'~'%p) => {{3x){(p'~' %p)) if X is not free in 'ip 
(i3x)%l7)) ^ {{3x){(p"~' %p)) if X is not free in <p 

{{£ = x)'^(p)^^{{£ = x)'^^(p) 

{f-{£ = x))^^{^f-{£ = x)) 

L2: {£ = X + y) ^ {{£ = x)'^' {£ = y)) 



^ The main binary operator of the group is + and its unary inverse operator is — . 
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T O. ^ = 0)) 

0 ^ ((£ = 0 )'-</>) 

The inference rules of SIL are: 



Modus Ponens (MP): 



Necessitation (N): 



0 (f) ^ tp 

t/j 

<P 



Generalization (G): 



0 

(yx)4> 



Monotonicity (M): 



(f> ^ Ip 

{(p-Lp) ^ {ip'-'p) 

< 

(p^ Ip 



Furthermore, SIL contains axioms expressing the properties of a signed duration 
domain (c.f. Definition 5): 

Dl: (Vx)(Vj/)(V 2 ;)((x + y) + z = x + {y + z)) 

(Vx)(x + 0 = x) 

(Vx)(0 + X = x) 

(Vx)(x+ (-x) = 0) 

(Vx)((— x) + X = 0) 

Finally, SIL contains axioms of first order predicate logic with equality. Any 
axiomatic basis can be chosen but one has to be careful when instantiating 
universally quantified formulas. We can e.g. choose the following two axioms 
concerning universal quantification: 

Ql: (Vx)(^(x) ^ 4>{0) if 0 is free for x in (p{x) and 
Q2: (Vx)(0 ^ %p) ^ {(p ^ (Vx)'i/') if x is not free in <p 



{ 6 is rigid or 
(p{x) is chop-free 



Note the strengthened side condition in Ql compared to the side condition of 
first order predicate logic which just reads: “if 0 is free for x in <^(x)” [10]. 

A proof of (p (in the proof system of SIL) is defined the standard way [10]. 
We write hsiL 4> to denote that a proof of (p in SIL exists and we say that (p is 
a theorem of SIL. Similarly, given a set of formulas T, we define deduetion of (p 
in SIL from T (written T hsiL (p) the standard way. We write T, tp hsiL <P for 
(r U {V'}) hsiL (p- 

We end this section by observing that the proof system of SIL is very similar 
to that of ITL [2]. Only the axioms relating to the duration domain distinguish 
the two systems: In ITL the axioms D1-D3 are not present; instead live other 
related axioms are added. This concretize the assertion of the introduction that 
the proof system of SIL is not more complicated than that of ITL. 



5 Soundness and Completeness 

In this section we sketch the proof of the completeness result for SIL: The proof 
system of SIL is sound and complete with respect to the class of all signed 
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interval models. The completeness proof for SIL is inspired by the completeness 
proof for ITL [2], 

The proof of completeness follows the general structure of a Henkin-style 
completeness proof [10,7]. The central idea in a Henkin-style proof is the fol- 
lowing: Given an arbitrary formula (f) which is not a theorem, construct a model 
which satisfies -k^. This implies the non-validity of (f) and the completeness fol- 
lows. 

We start by presenting some standard results used in Henkin-style complete- 
ness proofs, namely results concerning maximal consistent sets and witnesses. 

Definition 7. Let F be a set of sentences of a signed interval language C. 

— r is consistent (with respect to SIL) if there is no finite subset {fi , . . . , fn} 
of r sueh that hsiL A ... A 

— r is maximal consistent if it is consistent and there is no consistent set of 
sentences F' such that F C Ff 

Let B = {bo,bi,b 2 , . . .} be an infinite, countable set of symbols not occurring 
in the signed interval language £. Let £+ denote the signed interval language 
obtained by adding all symbols of to £ as rigid constants. 

Definition 8. A set F of sentences of is said to have witnesses in B if for 
every sentence of F of the form {3x)(f){x) (where x is the only free variable of 
fix)) there exists a constant bi e B such that (({hi) e F. 

Theorem 1. If F is a consistent set of sentences of C, there is a set F* of 
sentences of £+ which satisfies the following: 

F C F*, F* is maximal consistent, F* has witnesses in B. 

If To is a consistent set of sentences of £, let Tq be a set of sentences of £+ 
which existence is guaranteed by the above theorem. 

Given a consistent set To of sentences we can now construct a model Aio = 
{Wo, Rq, Do, Iq) where the worlds of Wo are certain maximal consistent sets of 
sentences (including Tq), Ro is defined by Ro{Ai, A 2 , A) iff for any (t)\,(t) 2 , if 
(j)\ € Ai and (fi e A 2 then € A, and Do is the set of equivalence 

classes w.r.t. = on B. Finally, lo is defined for all symbols in all worlds. For 
example, in the case of a propositional letter we define lo{p){A) = {p e A), i.e. 
Mo,V,A\=p iff peA. 

The following theorem generalizes the case of a propositional letter to arbi- 
trary formulas [2]. 

Theorem 2. A4o,V,A [= (f iff (f> ^ A . 

The model AIq will play a central part in the construction of a satisfying 
signed interval model. Another important part in this construction will be played 
by the following proposition. 
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Proposition 1. Let ((Z\i, ZI2), (^i, ^ 2 )) ^ {Wq x VKo) x (VKo x VKo). 

If Ro{Ai, A2, Fq) and Ro{A[,A'2,rQ) then there is a unique world A <^Wq sueh 
that Ro{Ai, A, A[) and Rq{A, A'2, A2). 

The intuition of this proposition can be given in terms of signed intervals: Given 
a pair of pairs ((Z\i, Z\2), (^ 1 , ^ 2 )) of consecutive signed intervals of the cur- 
rent signed interval Tq there is a unique signed interval A lying between the 
two chopping points of the two pairs of signed intervals. We have sketched this 
intuition in Fig. 4. 




Fig. 4. Possible configuration of the worlds of Proposition 1 

We will now start constructing a signed interval model from A4o- For this we 
need to define a signed temporal domain T (c.f. Definition 6): 

T = { {Ai,A2) G Wo X Wo I Ro{A,,A2,r^) } . 

The intuition behind this particular definition of T is the following: If we think 
of the worlds of Wo as signed intervals, T is the set of all pairs of consecutive 
signed intervals of the current signed interval. These pairs define, by means of 
their chopping points, all the necessary temporal points. See Fig. 5. 



To 




Fig. 5. Intuitively, the points of T are the “chopping points” (marked by ti and t 2 on 
the figure) of the pairs {Ai,A 2 ) related by Ro{Ai, A 2 , Ff). The figure shows two of 
the possible pairs {Ai,A 2 ). 

We have now come to the crucial step in the construction. Intuitively, we 
want to identify a signed interval given by two points of T with a signed interval 
of Wq. But this connection is exactly what Proposition 1 gives us. Formally, 
let jj, : T X T Wq such that /x((Z\i, ZI 2 ), (^i, ^ 2 )) is the world A given by 
Proposition 1. Revisit Fig. 4 for the intuition. 

We are now ready to construct a model Ai = {W,R, D,l) on the basis of 
A4q as follows: 
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— The frame (IT, R) is the signed interval frame defined by T . 

— The domain D is the same as Do- 

— The interpretation function I is given by i(s)(t,t') = Io{s){iJ-{t,t')) for any 
symbol s and any signed interval 

The following proposition shows that A4 is indeed a signed interval model. 

Proposition 2. The constructed model M. is a signed interval model. 

Proof. We have to make sure that fJ of At is a signed duration domain and that 
the interpretation is as specified in Definition 6. 

The rigid symbols — and + of £ defines a unary and a binary operation we 
also denote by — and + in D. The interpretation of the rigid constant 0 will 
be an element of D we also denote by 0. As D1-D3 are valid in Ado they will 
by Theorem 3 (see below) also be valid in Ad, hence (D,+,— ,0) is a signed 
duration domain. We now only need an appropriate signed measure. But it can 
be shown [15] that the interpretation of ^ is already defined such that M1-M4 
of Definition 4 are satisfied. Thus, we define the signed measure by rn{t,P) = 
!{£){t,t') for any signed interval {t,t') € IT. □ 

We want to establish a connection between satisfaction of formulas in A4 and 
Aio- We want to show that a formula is satisfied in a world (t,P) of A4 iff it 
is satisfied in the corresponding world /x(t,ff) of AIq- The only difficulty is in 
the case of chop. For this we need the following two propositions (see [15] for 
proofs) . 

Propositions. // 1, t', u € d' f/ien ifi)(/i(t, u), / x(m, t'), /r(t, t')) . 

Proposition 4. Lett,t' € T and A , £2 € Wq. //A)(A, A,ft(f,f0) ^hen 
A = iJ.{t,u) and A = ti{u,tf) for some u e T . 

We can now formulate the connection between At and Alo- We note that since 
the domains of At and Ado are the same, an Ad-valuation is also an Ado- 
valuation. 

Theorems. M,V ,{t,t') \= f iff Ado, V, /x(d, d') 1= • 

Proof. The proof is by a straightforward structural induction on (f: In the case 
of f being we use Propositions 3 and 4. See [15]. □ 

We can now establish the main result of this section. 

Theorem 4. If Pq is a consistent set of sentences (with respect to SIL) then we 
can construct a signed interval model which satisfies A- 

Proof. We know by Proposition 2 that the constructed model Ad is a signed 
interval model. We are therefore done if we can show that Ad satisfies Do- 
lt is possible to find worlds A\,A 2 <E Wq such that Ro{Ai, Ff , Fq ) and 
^>(£ 0 , 412 ,^ 0 ) (see [15]). Thus, both t = {Ai^Fq) and t' = (Dq,^ 2 ) belong to 
T, hence (d,£) € IT. It is now immediate (by definition of /x) that p{t,f) = Fq. 
Then, utilizing Theorems 3 and 2, we are done. □ 
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From the above theorem the completeness of SIL now follows easily. 

Theorem 5. A formula f of a signed interval language is valid in Z (the elass 
of all signed, interval models) iff it is a theorem of SIL, thus 

NsIL <k 'iff bsiL f - 

Proof. For the i/-part (soundness) we simply have to check that all axioms of 
SIL are valid in Z and that all inference rules of SIL preserve validity. This is 
straightforward . 

For the only z/-part (completeness) assume 4> is not a theorem of SIL. We 
now have to show that 4> is not valid in some signed interval model. Let be the 
universal closure of 4>; (f is not a theorem either. The set will therefore be 

consistent and we can construct a signed interval model At which satisfies 
(Theorem 4). Since is satisfied by AI, f is not valid in At and neither is 
(j). □ 

Remark. The above completeness result is for a general class of signed interval 
models with no ordering on the underlying temporal domains. To justify the 
name “interval logic” one could argue that it would be more natural to require 
a total ordering on these domains. In [16] it is shown how a completeness result 
can be established in this case. 

6 Arrow Logic and Relational Algebra 

In this section we establish results relating SIL to arrow logie [9] and relational 
algebra [18]. These results rely on the capability to define an abbreviated unary 
modality in SIL which “reverses” the direction of an interval. We define: 

(f)^^ = (3x)( {£ = x) A{ (i = 0) A{£ = )"'true ) , 

where true = 0 = 0 and x is some variable not free in 4>. The following proposition 
can now be proved [15]. 

Proposition 5. For any signed interval model At, valuation V and signed in- 
terval {b,e): 

M,V,(b,e)^r^ iff M,V,(e,b)^f . 

Arrow logic [9] is a modal logic where the possible worlds are pairs of elements 
from some set. We see that this corresponds to signed intervals of SIL which 
makes a comparison interesting. 

Arrow logic is equipped with a constant lS, a unary modality A and a binary 
modality o. The semantics of id, A) and o can informally be given in terms of 
SIL: lS corresponds to (£ = 0), A to and o to In arrow logic lS, A and o 
are basic modalities and not abbreviations of some kind. In SIL we can define 
using and £. Thus, we conclude that SIL can express the same as arrow 
logic with just the basic modality (corresponding to o) and then the special 
symbol £. 
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But this expressive power of SIL has a price: Firstly, the introduction of i 
restricts the set of possible models considerably. Secondly, to define it was 
necessary to use a first order construct to quantify over the value of 1. In con- 
clusion we can therefore (rather informally) state that: SIL is a first order arrow 
logic with the special symbol 

We now consider another consequence of It seems natural to think of 
signed intervals as binary relations, hence {t,t') € T x T asserts that t is related 
to In some signed interval model, a formula 4 > will either be true or false on 
some signed interval. If we now consider the set of all signed intervals on which 
4 > is true we will have a binary relation on T. We will in the following pursue 
this idea by relating SIL to relational algebra [18]. 

Definition 9. A relational algebra 9121 = (<S, ©, ©, o, ©, (g>, 0, 1, id) is a non- 
empty set S equipped with three binary operators ©,©,o, two unary operators 
©, ©, and three constants 0, 1 , id such that {S, ©, ©, ©, 0, 1 ) is a Boolean algebra 
and the following axioms are satisfied for all x,y,z e S: 



RAl 


{x (By) o z = 


: {x 0 z) (B {y 0 z) 


RA5 


X o id = X 


RA2 


©(x©y) = 


©X © ©y 


RA6 


©©X = X 


RA3 


{x oy) o z = 


X o (y o z) 


RAl 


©(xoy) = ©y o ©X 


RA4 


©(©X o ©(x 0 


■y))©©y = 1 







We now formally define how to build the above mentioned binary relations. 

Definition 10. Let A4 = (W, B, JJ, J) be a signed interval model and V be a 
Ai-valuation. As AA is a signed interval model we will have W = T x T for 
some set T. We now define a SIL-relation of (written RM,v{fi)) by: 

RM,v{fi) = {{t,h)eTxT I Ai,V,{t,f)^fi} . 



Furthermore, we define the set TIm,v of oil SIL-relations in a given model and 
valuation: 

T^M,v = I € Formulas} . 

To establish the connection to relational algebra, we associate three binary 
operators two unary operators — and three constants 0,1,1' with 

T^M,v- Tfie meaning of these operators and constants is given by the follow- 
ing equivalences: 



1 

0 

1 ' 






R>i,v(ti'ue) 
R-ai ,v (false) 
= 0) 



-Rm,v{<P) 
Rm,v{<I>) + Rm, vi.fi) 
R>i,v(<^) • Ruyifi) 
Rai,v (<(>); RM,vifi) 



R>i,v(“'0) 
Rm,v{(I> V fi) 
Rm,v{(I> a fi) 
RM,vifi^'fi) 



Any SIL-relation build using any of the three constants and five operators 
can thus by simple equational reasoning be transformed to a single SIL-relation 
RM,vifi) for some formula fi. 

To show equivalence of SIL-relations we have the following lemma. 
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Lemma 1. |=sxl o implies RAt,v(<A) = R-ai,v(V') • 

We can now formulate the following theorem saying that TZm,V together with 
the above defined operators and constants is a relational algebra. 

Theorem 6. IHsil = {Ti-M,VT+T'TJ is a relational algebra. 

Proof. By Definition 9 we must first show that {Ti.M,VyPy s 0, 1) is a Boolean 
algebra. But this follows easily due to the standard correspondence between 
propositional logic and Boolean algebra. 

We must then show that IHsil satisfies the axioms RA1-RA7 for arbitrary 
members of TZm,v- For this we use Lemma 1. For example, we can show that 
IHsil satisfies RAG by showing |=sil But this is not 

difficult using Proposition 5. See [15] for the full proof of the theorem. □ 

Theorem 6 gives a nice theoretical characterization of the expressive power 
of SIL. It is only establishable because is definable in SIL. 

7 Future Intervals 

As discussed in the introduction, SIL has the ability to express liveness prop- 
erties. An abstract liveness property could e.g. be that some property will hold 
eventually. 

To be able to express such properties concisely in SIL it would be convenient 
to have modalities saying that a formula will hold on some future interval or on 
all future intervals with respect to the current interval. But what exactly should 
we consider to be a future interval? And how should we define abbreviated 
modalities in SIL expressing this? We will briefly consider these questions in 
this section. There is a more comprehensive discussion in [15]. 

Firstly, we have to assume a total ordering < on both the signed temporal 
domain and on the signed duration domain. A completeness result for SIL in 
this case is established in [16]. A definition of a future interval could then be the 
following: If the current interval is (b,e) then a future interval is any interval 
(m, n) with n > e and rn > b. This can be illustrated by the following two 
figures: 



I I I I 

I m I n I n I m 

I ^ U| I 

be e b 

We can also consider definitions of future intervals which are independent of 
the direction of the current interval. We can e.g. define a future interval as any 
interval (m, n) where both rn and n are greater than min(6, e) where (6, e) is the 
current interval. This can be illustrated by the following two figures: 



m n 



m n 



b 



e 



e 



b 
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Both the above proposals are reflexive and transitive which seems to be very 
desirable properties for practical use. In [15] other proposals are discussed but 
they are discarded as they are either not reflexive or not transitive. 

According to the above two proposals for future intervals, the goal is now to 
define two abbreviated modalities □ and O such that B(f) holds on an interval iff 
4> holds on all future intervals and <^(f) holds on an interval iff 4> holds on some 
future interval. The first proposal gives rise to the following two abbreviations: 

= [i> < 0)) and B(f) = -iO(-k^) . 

The second proposal gives rise to the following abbreviations: 

<^(f) = ((£>0)^((^^(£<0)) A(£ = 0))^trueV 

true"'((t' > < 0)) A (t" = 0)) and 

= — iO^(— 1(^) . 

Which definition of future intervals to choose of course depends on the particular 
problem at hand. A reason for choosing the first proposal would be that the 
corresponding modalities are fairly simple compared to the modalities of the 
second proposal. On the other hand, in [15] an example is considered where the 
second proposal is chosen because the first turns out inadequate. This is due to 
the fact that all subintervals of the current interval are future intervals in the 
second proposal whereas they are not in the first. 

8 Further Work on SIL 

As mentioned in the previous section, there is a more comprehensive discussion 
of future intervals in [15]. Here it is also discussed how to define a contracting 
chop in SIL. 

Two simple modalities O and □ are introduced in [15] such that a formula 
0(f) holds on a signed interval iff 4> holds on all possible signed intervals and <>4> 
holds on a signed interval iff 4> holds on some signed interval. By means of □ a 
deduction theorem for SIL is established: If F, (p hgiL V’ then F hgiL B(f) ^ 'ip 
(with a sidecondition on free variables of 4>). 

In [15] several proofs in the proof system of SIL are conducted. Various 
general conventions and results for proof-making in SIL are established. 

An extension to SIL called Signed Duration Calculus (SDC) is developed in 
[15]. The basic idea of this is the same as that in [22,6]. Syntax, semantics, and 
proof system for SDC is given in [15]. 

In [15] a very simple example concerning liveness and proof of correctness 
hereof is considered. We hope to consider a larger case study in SIL/SDC in the 
future and we also hope to investigate further theoretical results concerning e.g. 
decidability and proof theory for SIL/SDC. 
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Abstract. We define a quantitative Temporal Logic that is based on a 
simple modality within the framework of Monadic Predicate Logic. Its 
canonical model is the real line (and not an ta-sequence of some type). 
We prove its decidability using general theorems from Logic (and not 
Automata theory). We show that it is as expressive as any alternative 
suggested in the literature. 



1 Introduction 

1.1 Summary of the Results 

Temporal Logic (TL) is a convenient framework for reasoning about the evol- 
ving of a system in time. This made TL a popular subject in the Computer 
Science community and it enjoyed extensive research during the last 20 years. 
In temporal logic the relevant properties of the system are described by Atomic 
Propositions that hold at some points in time and not at others. More com- 
plex properties are described by formulas built from the atoms using Boolean 
connectives and Modalities (temporal connectives): a fc-place modality C trans- 
forms statements p>i,. . . on points possibly other than the given point to 
to a statement G{lp\, . . . ,(pk) on the point to- The rule that specifies when is 
the statement , cpk) true for the given point is called Truth Table in 

[GHR94]. The choice of the particular modalities with their truth table deter- 
mines the different temporal logics. The most basic modality is the one place 
“diamond” modality (}X saying “X holds some time in the future”. Its truth 
table is usually formalized by cp^{to,X) = {3t > to)X{t) [GHR94]. 

The truth table of <C> is a formula of the Monadic Logic of Order (MLO). MLO 
is a fundamental formalism in Mathematical Logic, part of the general framework 
of Predicate Logic. Its formulas are built using atomic propositions X{t) (similar 
to the atoms X of TL), atomic relations between elements = 0) < 0 and 

using Boolean connectives and (first order) quantifiers 3t and Vt (occasionally we 
shall be interested in second order MLO that has also quantifiers 3X and VX). 
Practically all the modalities used in the literature have their truth table defined 
in MLO and as a result every formula of the temporal logic translates directly 
into an equivalent formula of MLO. Therefore, the different temporal logics may 
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be considered a convenient way to use fragments of MLO. There is a lot to be 
gained from adopting this point of view: the rich theory concerning MLO and 
in particular the decidability results concerning MLO apply to TL. MLO can 
also serve as a yardstick by which to check the strength of the temporal logic 
chosen: a temporal logic is expressively complete if every formula of MLO with 
single variable to is equivalent to a temporal formula. An expressively complete 
temporal logic is as strong as can be expected. 

Actually the notion of expressive completeness refers to a temporal logic 
and to a model (or a class of models) since the question if two formulas are 
equivalent depends on the domain over which they are evaluated. Any ordered 
set with monadic predicates is a model for TL and MLO, but the main, canonical, 
intended models are the non- negative integers {N, <,0) for discrete time and the 
non-negative reals (A+, <,0) for continuous time. There may be reasons to use 
other models but they should be spelled out explicitly if the need arises to ignore 
the natural model. A major result concerning TL is Kamp’s proof [Kamp68] 
(reproved in [GPSS80]) that the pair of modalities X until V and X since V is 
expressively complete for the two canonical models (but not for less natural 
models like the rationals). Note that since this paper is not concerned with 
discrete time we mean from now on only the model of non-negative reals 
when we speak of the canonical model. 

Sometimes, in particular in Computer Science it is natural to restrict the 
attention to a subclass of unary predicates over i?+, the class of predicates 
with ’’finite variability”; i.e - predicates that change from true to false only 
finitely often in any finite interval of time. We shall call the standard model 
with these finite variability predicates the “canonical finite variability model” . 
It is clear that a predicate A* is a finite variability predicate if and only if there 
is an unbounded increasing sequence ti such that F is constant on any interval 
(L, L+i)- 

MLO and its derived temporal logics are not suitable to deal with quantitative 
properties. The most basic quantitative property is “A will happen within one 
unit of time”. This is analogue to the discrete case modality “X will happen 
at the next step”. A natural way to deal with quantitative modalities is by 
extending MLO to MLOi-monadic logic of order with the +1 function: adding 
to the language the function S{t) = t+1. The basic modality described above 
is then described by the formula: 

(1) (p{to,X) = 3t{to <t <to + l AX{t)) 

The canonical model A+ is also the canonical model for MLO i but there may be 
other models: with a different time scale (e.g. S{t) = 2*) or any ordered set 

with a function + 1 that satisfies some obvious axioms (see Section 3). Unfor- 
tunately, MLOi is too expressive and it is undecidable over the canonical model 
(this follows also from [AFH96]). Quite a few formalisms have been suggested in 
the literature in order to supply TL with the capability to deal with quantitative 
properties in a decidable way. Many of them are surveyed in [AH92]. We add 
one that seems to be the simplest and the right one: 
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a) We take (1) as a table for the modality <C>i-^ and its companion (2) as the 
table for the modality A - “X happened during the previous unit of time” : 

(2) ■t/^{to,X) = 3t{to-l<t<toAX{t)). 

The t — 1 is interpreted as 0 for t < 0 + 1 and as the standard t — 1 function 
for t> 0 + 1. 

b) We add those two simple modalities to TL obtaining quantitative temporal 
logie QTL. We also identify the corresponding fragment QMLO of MLOi. 

c) We show that these logics are as expressive as any of the previously suggested 
constructs by showing how these constructs are defined in QMLO. 

d) We show that the validity (and satisfiability) problems for this logic is de- 
cidable over the canonical model by reducing the problem to decidability of 
pure MLO and using the decidability results for MLO in [BG85]. 

e) We show that the satisfiability problem for QTL in the canonical finite varia- 
bility model is PSPACE complete. In view of (c) the last two items reprove 
the decidability and the complexity results for logics like MITL without 
resorting in the proof to automata theory. It may seem surprising that auto- 
mata theory does not yield any tighter bounds than straightforward trans- 
lations and general logical considerations. 

f) The whole discussion except for the complexity results applies uniformly to 
the canonical finite variability model and to the canonical general model. No 
other approach was even able to represent the most natural canonical model. 

While QTL is as expressive as any of its rivals in the literature, it can be 
enriched to stronger yet still decidable logics. For example A. Pnueli’s modality 
in X and Y: F(to,X,Y) = < Q < t 2 < Q + 1 AA(ti) A T(Q)] and 

similar constructs can be added retaining decidability. However, none of these 
modalities seem general enough to be officially added to QTL. The search for a 
natural stronger logic still continues [HR99]. 

We believe that our formalism is exactly the right one: We use the most 
natural model, we use the most simple pair of quantitative modalities, everything 
is done within plain mathematical logic with no new or ad-hoc constructs, we 
prove decidability using mainstream logic and our formalism works just as well 
for general systems that may vary infinitely often in a finite length of time. 

1.2 Comparison with Previous Works 

Many formalisms were suggested in the last 15 years to extend temporal logic 
to deal with quantitative properties, as surveyed in [AH92] and [Wilke94]. 

“The number of formalisms that purportedly facilitate the modeling, 
specifying and proving of timing properties for reactive systems has ex- 
ploded over the past few years. The authors, who confess to have added 
to the confusion by advancing a variety of different syntactic and seman- 
tic proposals, feel that it would be beneficial to pause for a second - to 
pause and look back to sort out what has been accomplished and what 
needs to be done.” [AH92]. 
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“Recent research in reactive and hybrid systems is dominated by a 
plethora of Concepts, Terminology, Notations. Unfortunately, this back- 
ground is not free of ad-hoc and ambiguous decision which are liable to 
misjudgments and to infliction of myths into the area” [Trak99], 

So it is not easy to compare our work with the related literature. We shall try 
to compare our work to the previous results regarding four aspects: the model 
used, the temporal connectives introduced, the decidability proof technique and 
the complexity of the method. 



Models In [AH92] (section 2.2) there is a classification of all the models leading 
to “sixteen possible formal semantics of real time sequences” . All sixteen models 
are cj-sequences of some kind. None of them is the real line itself. None of them 
reflects the real line faithfully and none avails itself to be adjusted to systems 
without finite variability. In section 7 we shell compare the canonical model with 
two of the most popular models. 



Formal Language Some of the formalisms are obtained from logics or temporal 
logics by adding programming language constructs which lack the universality 
of logical notions. Notions such as freeze quantification, clock variables, half- 
order logics, explicit-clock notations, reset quantifications, position variables and 
position quantifications, nonstandard reals (which have nothing to do with the 
non-standard analysis) etc were invented [AH92,BL95,HRS98]. 

Others use temporal connectives which are definable in a fragment of first 
or second order Monadic Logic. We will discuss only the latter. Notably among 
logics with first-order defined connectives is MITL of [AFH96]. All such decidable 
languages are equal in expressive power to the most basic logic QTL on the finite 
variability canonical model. On the different a.^-sequences models the logics differ 
in expressive power, causing a proliferation of logics. Thus “ 4 > will happen within 
two units of time” is expressible in the canonical models through the connective 
“()> will happen within one time unit” but not so in the popular model of state 
sequences (see section 7). 

Some modalities suggested in the literature were motivated by pragmatic 
considerations. Some other were obtained annotating the authors favorite mo- 
dalities for TL by some time constrains. For example, the operator ^[ 1 , 3 ] is 
interpreted as “eventually within one to three time units.” There is no yardstick 
by which to measure the appropriateness of a temporal logic. 

The most important characteristic of these formalisms are (1) expressiveness, 
which refers to correctness properties which the formalism can specify and ( 2 ) 
Complexity and decidability - the complexity of the model checking and the 
satisfiability problems for the formalism. One of the main goals was to formulate 
the most expressive logic which is still decidable. 



Decidability Alur and Dill introduced time automata and proved that the 
emptiness problem is decidable for the class of these automata [AD94]. The proof 
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reduces the problem to the emptiness problem for Buchi cu-automata. This result 
was used in all the previous approaches to prove that the logic is decidable (we 
suspect that this is the main reason why all the authors ignored the standard 
model in favor of an cu sequence model of some kind). 

The class of languages accepted by timed automata is not closed under com- 
plementation. On the other hand logic is closed under negation. Therefore the 
usual way to show that a logic was decidable was to introduce some variati- 
ons and restriction of timed automata which is closed under complementation 
and providing an effective transformation from logical formulae to “equivalent” 
automata in this class. These classes were given nice descriptive names like “Re- 
cursive Event Clock Automata” [HRS98] or “Bounded Two Way Deterministic 
Timed Automata” [AH92a]. It seems that these classes of automata do not give 
any additional insight about the corresponding logic. 

In contrast our decidability proof remains within the framework of logic first 
reducing the language to a normal form (“Timer normal form”) and then redu- 
cing the problem to the known result about the decidability of pure MLO (or 
TL). In particular our proof applies just as well to the standard model with all 
the unary predicates (and not just finite variability predicates). 



Complexity It may have been hoped that the use of automata theory for 
decidability would provide a less complex procedure and clearer bounds than 
decidability proofs based on general logical reductions. We found this not to be 
the case; our method easily yields the same upper bounds or better ones (see 
section 6). 

2 Monadic Logic of Order (MLO) and Temporal Logic 
(TL) 

We survey the basic facts about these logics introducing TL within the frame- 
work of MLO [GHR94]. 

The syntax of MLO has in its vocabulary individual (first order) variables 
tofii, . . . , monadic predicate names Aq, Ai, . . . , and one binary relation < (the 
order) . Atomic formulas are of the form X (t) , fi < h and ti = t 2 - MLO formulas 
are obtained from atomic formulas using the Boolean connectives V, A, — -fA 
and the (first order) quantifiers 3t and fit. 

Second order Monadic Logic of Order formulas are obtained using also second 
order quantifiers 3X and VA. 

Warning on Terminology. In this work we are mainly interested in first- 
order monadic logic of order, unless explicitly stated otherwise. 

As usual if (/9 is a formula we may write a(L, • • • Ai, . . . , Xm) to indicate 
that the free variables in cp are among fi , . . . and the monadic predicate names 
are among Ai, . . . A^. 

A structure for MLO is a pair M = {A, <) where < is a linear order over A. 
The important examples for us are: {R^ , <), and (A, <); the non-negative real 
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line and the non-negative integers. Note that at this stage, we made the choice 
to deal only with linear order so that trees and other orders are not in the scope 
of the discussion at present. 

We shall not repeat the inductive definition saying when is a formula satisfied. 
Recall that in order to check if the formula Ai, . . . , Xm) is true we 

need to specify which model M = {A, <) is intended and what are the elements 
ri, . . . , Tfe in A and the predicates (subsets) Fi - ■ ■ F^ over A which are assigned 
to the variables and predicate names ti, . . . ,tk,Xi ■ ■ - Xm- Hence, the notation 
will usually be 

{M,Ti,...Tk;Fi---,Fm) '^:>{ti,---tk;Xi,...,Xm) 

which we also abbreviate to 

M \=(f[Ti,...,Tk;Fi,...,Frn] 

or even to M |= (p\r,F] where the bar denotes a tuple of appropriate length. 
When we define the semantics of a second order formula or when we deal with 
validity and satisfiability of a first order formula it is necessary to specify over 
which predicates should the variables X range. In full MLO they range over all 
unary predicates (i.e. - subsets). 

A requirement that is often imposed in the literature is that in every boun- 
ded time interval a system can change its state only finitely many times. This 
requirement is called finite variability (or non-Zeno) requirement. We consider 
also finitely variability interpretation of second-order MLO. Under this interpre- 
tations monadic predicates range over predicates with finite variability. Observe 
that in the real model this property of a predicate X can be expresses by the 
pure first-order formula [Rab98]. It is worth noting that there is no first-order 
monadic formula that defines finite variability predicates over the rationals, ho- 
wever, the finite variability predicates over the rationals can be defined by a 
monadic second-order formula. 

The syntax of Temporal Logic (TL) has in its vocabulary Predicate variables 
Xi,X 2 , ■ ■ - and some modality names with prescribed arity 0\ • (the 

arity notation is usually omitted). For example the “sometime in the future” 
modality <C> has arity 1. The “_until_” modality has arity 2. 

Atomic formulas are just variables Xi and temporal formulas are obtai- 
ned from the atoms using Boolean connectives and applying the modalities: 
if (fi, , (fk- are temporal formulas then so is . . . , (fki)- As usual we 

write until if instead of until 

Structures for TL are again linear orders M = (A, <). Every modality is 
interpreted in every structure M as an operator : [F{M)]^ — ^ F{M) which 
assigns “the set of points where 0[Fi , . . . , F^] holds” to the A;-tuple (Ri, . . . , Fk). 
We consider only modalities which are defined in MLO: we assume that for every 
modality there is a formula (truth table) 0(to,Xi, . . . Xk) of MLO such that 
in every structure M: 

Om(Pi, . . . , Pfe) = {r I M 0[r; Pi, . . . , P^]} . 
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Example (Tables for Modalities) 

— The modality <$>X, “X has happened before” is defined by ^(to, X) = 3t < to 
X{t). 

— The modality X until Y is defined by ij){to,X, Y) = 3ti{to < ti AY (fi) A 
yt{to <t <ti ^ X{t))). 

— The modality X since Y is defined by tp{to,X, Y) = 3ti{to > ti A Y (ti) A 
Vt(ti <t <to ^ 

Satisfaction of a formula at a point r in the model M is defined inductively 
starting with: 

{M,t,F)^^X m re f 

and 

0(Xi,...Xfe) iff (M,r,Pi,...Pfe) 0(to,Xi,...Xfe) . 

This extends easily to: 

Proposition. For every formula (p(Ai,...A„) of TL there is a formula 
^{to, Xi,. . . Xn) of MLO sueh that for every M , t £ M and predicates F, . . . Fn 

(M,r,Pi,...P4^^V^ Iff (M,r,Pi,...P4^^^^. 

MLO supplies us with a yardstick by which to measure if a temporal logic 
(i.e. a choice of modalities) is as expressive as can be hoped for: 

Definition. Let C be a class of structures and L a temporal logic. L is ex- 
pressively eomplete with respect to C if every formula cp of MLO with single first 
order free variable to is equivalent in C to some formula cp of the logic. A list 
of modalities is expressively eomplete if the temporal logic with 

these modalities is expressibly complete. 

There are natural choices for expressively complete sets of modalities: 

Theorem 1. a) ([Kamp68], reproved in [GPSS80]): The pair of modalities 
X until Y and 

X since Y is expressively complete for the canonical structures: the real line and 
the natural numbers. 

b) [GHR94] There is a pair of modalities XuntilgY and XsincefY (“Stavi’s 
modalities”) which together with the since and until is expressively eomplete for 
the class of all linear orders. 

3 Quantitative Temporal Logic and Quantitative MLO 

The logics MLO and TL are not suitable to deal with quantitative statements 
like “X will occur within one unit of time”. This can be easily remedied in 
predicate logic by using the function t+1: 
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Definition. MLOi, the monadic logic of order with a +1 function is the 
monadic logic built from the primitive relation < and one unary function symbol 
which we denote either by S{t) or by t + 1. The standard (canonical) model 
for this logic is the non-negative real line with the usual +1 function. General 
struetures for MLOi are ordered structures M = {A, <,0,S) with first element 0 
and with a unary function S that satisfies some natural requirements: like strict 
monotonicity, non-archimedian property. 

We will deal here only with the canonical model and leave out the axioma- 
tization of more general models. We use the standard notation t+1 for S{t),n 
for 0 + 1 + • • • + 1 {n times) and t — 1 for 0 when t < 1 and for the unique G 
such that ti + 1 = t for t>l. 

MLOi is a broad language and everything that we do is inside MLOi. But it 
is too strong: the problem of validity and satisfiability in the standard model is 
undecidable for MLOi (there is a natural encoding of Turing computations that 
shows it but it can also be deduced from the undecidability proof in [AFH96]). 
We shall, therefore, start at the other end: introduce the simplest quantitative 
modalities to TL and check what the corresponding fragment of MLOi is- We 
then check if the result is expressive enough and if it is decidable. 

Definition: Quantitative Temporal Logic (QTL) is the temporal logic 

constructed from an expressively complete set of modalities for MLO and two 
new modalities <C>i-^ and OiA defined by the tables (in to): 



(3) 


Oa : 


3t((to < t < to + 1) A A (t)) 


(4) 


: 


3t((to - 1 < t < to) A A (t)) 



Next we intend to identify the fragment of MLOi that corresponds to QTL. 
This fragment will use the function t+1 only in a very restricted form as indicated 
in (3) and (4). We introduce some syntactical sugar to MLOi ^ the “bounded 
quantifiers” (3t)^(“^^ and (3t)^*“_]^ as follows: if is a formula of MLOi then 
we use the shorthand: 

(5) (3t)<(°+V = 3t(to < t < to + 1 A +(t)) 

(6) (3t)<(o_i93 = 3t(to - 1< t < to A +(t)) 



Definition. Quantitative Monadic Logic of Order (QMLO) is the fragment of 
MLOi which is built from the atomic formulas ti < t 2 ,ti = t 2 ,A(t) (t,ti,t 2 
variables) using Boolean connectives, first order quantifiers and the following 
rule: if +(t) is a formula of QMLO with t its only first order free variable then 
(3t)^*“^^(/9 and are formulas of QMLO. 

The following observation characterizes the expressive power of QTL. 
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Theorem 2. Let F be an expressive complete set of modalities (over the reals) 
for first-order MLO. For every formula p over the modalities {T, <C>i, there 
is a formula 4>{to) of QMLO effectively computable from p such that 4>{to) is 
equivalent (over the reals) to p. For every formula of QMLO there is a 

formula p over the modalities {T, <C>i, Oi} effectively computable from fifto) such 
that (({to) is equivalent (over the reals) to p. 

Proof. Straightforward induction. 

4 The Expressive Power of QMLO 

4.1 General Bounded Quantifiers 

At first glance the modalities and <>i may seem insufficient to express more 
general modalities like 0[5,7) defined by the table 3t. to + 5 < t < to + 7 AX{t). 
However this is not the case. 

We shall first show that one can use more general quantifiers in QMLO: 
and quantifiers with weak inequality replacing the strict 
inequality in one or both ends of the interval, where n is an integer and to is a 
positive natural number. 

(a) {3t)§l+^X{t) ^ A (to) V (3t)<ll+^X{t) 

(b) {3t)ffi+^X{t) = (3t)<*fiA(t) V[First (to, A) A i(3t)<*(+iA(t)] 

when First (to. A) says that there is a first point past to for which A(t) holds: 

(7) First (to,X) = 3ti[to < h A A(ti) AVt(to < t < Q -iA(t))] 

it is not difficult to see that once a first solution to A (t) is granted then the last 
conjunct in (b) is equivalent to A(to + l) (note, however, that A(to + l) by itself 
is not definable in QMLO and its addition would lead to undecidability). 

Hence quantifiers (3f)>j“^^ and (3t)^*“^^ are definable in QMLO. 

Let us list some more laws 

(c) (3t)<“+iA(t) ^ (VQllf '3Q.Q >tAX{fi) 

(d) {yt)ft:Xu^^X{t) ^ (Vt)<*“+^i(3Q)^r'(Vfi)^^^+'X(ti) for n > 0. 

Theorem 3. The extension L of QMLO by the following rules is expressive 
equivalent to QMLO over the canonical model. 

if (j){t) is an L formula with the only free variable t then the following are L 
formulae: 

1. {3t)^ffiX)f^'^ ()>{t) , where n is an integer and m a positive natural number. 

2. {3t > to + n)(j){t) (denoted also by {3t)^fif_^.^(j){t)) and (3t < to + n)(j){t) 
(denoted by {3t)^fiX^ ()>{t) ) , where n is an integer. 

3. Similar to (1) or (2) above with weak inequality replacing one or both occur- 
rences of the strong inequality. 

Henceforth, we will freely use these generalized quantifiers which are definable 
in QMLO and also the corresponding modalities like □<„ which is defined by 
(Vf)>^”^"'-’^i(f) and 0[n,m] which is defined by (3t)|*“:^™Ai(t). 
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4.2 Modalities in Real Time Logics 

Here are the definitions of some modalities that were used before: 

(e) Pnueli’s Agei(df) modality is dual to <$>i 

Agei(X) ^ 

(f) Wilke’s relative distance construct “the first time X{t) occurs after to is in 
distance smaller than larger than or equal to n” [Wilke94] 

d<„(X) is just First{to,X)A{3t)<ll+^X{t) 

d=^{X) is 

(g) The > modality of [HRS98]: >(n,n+m)X “there is a first instance of X{t) 
among the points in the interval (to + u,to + n + m)”. For n = 0 this is 
First(to,X) A (3t)<(f-A(t). For n > 0 this is [(Vti)<(»+^i(3t)<*(+i First(t, X)]A 
(3t)<‘»+::+-A(t). 

The logic MITL [AFH96] is based on an infinite set of modalities until i where 
t is a non-singular interval with integer endpoints - these modalities are called 
constrained until modalities. The MLOi truth table for example for the formula 
X unti/[ 53 ) Y is Bt.to + 5 < t < to + 8 A T(t) A (Vt . to < t < t— iX(t )). 

It is shown in [AFH96] that the operators like our are definable in this 
logic. Unfortunately the fundamental operator <$>i is not discussed there and in 
fact we can show that it cannot be expressed using constrained untili modalities. 

What is called MITL in [HRS98] is the logic based on untili operators and 
the since operators since j. The modality 0i is easily expressed using these since 
operators. 

In the sequel we will refer only to the version with both until and since 
operators. 

(h) until(„ can be defined as U until(„ „_|_m)Q = unti/ Q))A 

(n,m)Q • 

Similar definitions work for since and for half open or closed intervals. Hence, 
MITL and QTL are expressive equivalent. 

5 Decidability 

We want to show that there is an algorithm which given a formula <f{Z) of QTL 
determines if cp is valid in (R+, 0, <, +1). We prove the equivalent claim that 
there is an algorithm which given of QMLO determines if V’ is satisfiable in 
(R+,0,<,+l). 

Notation. For every n we define the formula: 

Timer,,(Ai, . . . A„, W, • • • W) = /\ Vt(T,(t) ^ 



i.e. each is a timer that measures if Xi persisted for at least one unit of time. 
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Theorem 4 (Timer Normal form). There is an algorithm which associa- 
tes with any formula of QMLO variables Ai, . . . , Yi, . . . ,Yn and a 

formula . . . , li, . . . ,Yn,Z) of pure MLO such that (p{to,Z) is sa- 

tisfiable iff the following formula is satisfiable: 

Timer„(Ai, . . . , Ti, . . . , T„) A^{to,X,Y ,Z) 

The proof is by routine normalization (note that the two formulas are equi- 
valent only with respect to satisfiability). 

Definition A formula is said to be in first (second) order timer normal 
form if it has the form 



Timer„(Ai, . . ,,Xn,Yi, ...,Yn) A 

where ()> is a first (second) order monadic formula. 

Next we associate with the formula Timer„(Ai, . . . A„, hi, • • • Y^) a formula 
Timer„(Ai, . . . , A„, Yi, . . . T„) in pure monadic logic. It is the conjunction of the 
properties Ai, Bij, C{ below and some technical properties Di which we omit. 
We introduce first the following notation: the duration of X at to is the largest 
interval (ti,to) such that X{t) holds for every point t in the interval. 

Ai : “If Yi{to) holds then the duration of Xi at to is not empty. 

Bi j :“If Yifto) holds and if the duration of Xj at to is at least as big as 
the duration of Xi then Yj{to) holds. Moreover; if the duration of Xj at to is 
strictly larger than the duration of Xi then Yj{t) started to hold already at a 
point before to. 

Ci : “Yi has finite variability. This is expressible in R by the pure first order 
monadic formula that says: Every point is the left end of some open interval on 
which Yi does not change its value and every point except 0 is the right end of 
an open interval on which Yi does not change its value. 

Di deals with the behavior of Yi at 0 and when approaching infinity. It also 
asserts that h) holds on a topologically closed set. The definition will appear in 
the full version of the paper. 

The formula Timer of QMLO and the formula Timer of MLO are related by 
the following main Lemma: 

Lemma 5 (Reduction of Quantitative Properties to Pure Monadic 
Properties). The predicates Pi, ■ ■ ■ , PnQi, ■ ■ ■ ,Qn over (i?+,0,<) satisfy the 
formula Timer„ if and only if there is an order preserving bijection p : R^ -A R^ 
such that Pip, . . . , PnP, QiP, ■ ■ ■ , QnP satisfy Timer„. 

In the above lemma the predicate Pip is obtained from the predicate Pi by 
stretching according to the bijection p, i.e [Pp){r) iff P{p{r)). Observe that P 
satisfies a monadic formula (f){X) iff Pp satisfies 4>{X). Therefore, 

Corollary 6. For every first-order or second-order monadic formula 4> 

Timer„ Af is satisfiable Timer„ A 4> is satisfiable. 



We recall 
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Theorem 7. 1. The satisfiability of monadic first order logic of order over the 

reals is decidable [BG85]. 

2. The satisfiability of monadic second-order logic of order over the reals is 
undeeidable [She75] 

3. The satisfiability of monadic second order logic over the read finitely variable 
interpretation is deeidable [Rab98j. 

Therefore, 

Corollary 8. 1. The satisfiability of the formulas in first-order timer normal 

form in the canonieal model is decidable. 

2. The satisfiability of the formulas in the second-order timer normal form, un- 
der the finite variability interpretation is decidable. 



Theorem 9. Satisfiability in the canonical model is decidable for QMLO and 
for QTL. Satisfiability in the finite variability canonical model is decidable for 
QMLO and for QTL. 

6 On Complexity of QTL 

In this section we show somewhat informally how one can derive easily the 
complexity bounds without appealing to automata theoretical techniques. 

We observe that the monadic formula Timer (see section 5) is expressible in 
Temporal Logic. 

Lemma 10. There is a TL formula timern{Xi, ... Xn,Yi, .. .Yn) of size Ofn^) 
over the modalities Until and Since sueh that Timern{Xi, . . . Xn,Yi, . . .Yn) is 
equivalent over the eanonical model to timern{Xi, . . . Xn, Ti, ■ ■ ■ Tn) ■ 

Proof. Just observe that every clause Ai, and Di in the definition of 

Timer n (see section 5) is expressible by a temporal logic formula which is inde- 
pendent of n. 

Unnesting: We define a process of unnesting by a generic example. Let Always{X) 
be the modality defined by the table to = to A ft. X{f). Let OPi and OP 2 be 
any two-place modalities over a linear order A. It is easy to see that that the 
formulas OPi{—iXi, OP 2 {X 2 ,Xo V X 4 ) is unsatisfiable over A iff the conjunction 
of the following formulas is unsatisfiable over A 

1. Z 

2. Always{Z OPi[Z\, Z 2 )) 

3. Always{Z\ -H- -'XQ 

4. Always{Z 2 ^ OP 2 {X 2 ,Zo,)) 

5. Always{Zo ^ {Xo V X 4 )) 

A simple generalization of this observation shows 
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Lemma 11. For every QTL formula f with k metrical quantifiers there is a 
TL formula if and a subset F of sueh that the size of tp is linear 

in the size of 4> and f is satisfiable if and only if the conjunction of ip with 
/\- p Always{Xi (PiZi) A /\- ^^-^p Always{Xi AA (jZi) is satisfiable. 

Lemma 12. There is a formula over [until, since, Oi} which is equivalent to 
Always{Xi AA 

Lemma 13. The formula Always{Xi aa (AZi) is equivalent to Timeri{-iXi, -^Zf). 
The above lemmas and Lemma 5 imply 

Theorem 14. There is a polynomial time algorithm that for every QTL formula 
(p of size m with k metrical modalities constructs a TL formula A of size 0{k“^ x 
rn) such that (1) ip is satisfiable in the canonical model iff (p is satisfiable in the 
canonical model. (2) ip is satisfiable in the finite variability canonical model iff 
(p is satisfiable in the finite variability canonical model. 

Theorem 15. [Rab98a] Let F be a,ny finite set of modalities definable in mo- 
nadic first-order logic of order. The satisfiability problem for TL formulas over 
F in the finite variability canonical model is in PSPACE. 

We note here that the proof of the above theorem is automata free and relies on 
the compositional method. 

Open Question: What is the complexity of the satisfiability for TL formulas 
in the general canonical model. 

Corollary 16. The satisfiability problem for QTL in the finite variability cano- 
nical model is in PSPACE. 

Let (p be an MITL formula with rn boolean and temporal connectives and 
let c be the largest constant that appears as a subscript of the bounded until or 
since operator in <p. From the laws of Section 4 and an unnesting procedure one 
can construct a QTL formula ip of size 0{m x c) such that ip is satisfiable (in 
either of the canonical or finite variability canonical models) iff <p is satisfiable in 
that model. Hence, we reprove the result of [AFH96] that satisfiability for MITL 
is decidable in space polynomial in m x c. 

7 About Two Popular Real Time Models 

In this paper we are dealing with the canonical model for QTL or with the fini- 
tely variable canonical model (in this model predicates are restricted to finitely 
variable predicates). In the survey [AH92] sixteen models for real time logics 
are provided. Surprisingly, neither the canonical model nor the finite variability 
canonical model is among these models. 

All the models considered in the literature are cj-sequences of something. 
Probably because the only technique to show the decidability was the reduction 
to Alur-Dill timed automata which in turn are reduced to w-automata. Our 
proof of decidability is automata free and works for general predicates as well as 
finitely variable predicates. 

We discuss two of these model that gained popularity. 
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7.1 The State Sequence Model 

The most popular model is the state sequence model. A state sequence is an uj- 
sequence (to, uq), . . . , (t^, . . . where ti is an unbounded increasing sequence 

of reals and ai gives the values of the monadic predicates at ti. 

The state sequence model does not faithfully reflect the real line. For example 
the very basic law <(> 2 A -H- <C>iA V <(>i<C>iA fails in this model. In fact already at 
the pure temporal logic level (without the metric) it is clear that sequences can 
not represent faithfully the canonical model as any formula is satisfiable over 
real sequences iff it is satisfiable over the discrete model of the natural numbers. 
Clearly we expect TL to differentiate between the discrete and the continuous 
model of time, another price paid for the use of state sequences is the proliferation 
of modal operators; while connectives like can be defined in the canonical 

model using the connective Oi this is not true for state sequences. Most of the 
laws from section 4 fail in this model. For example ^(o,i] is not expressible from 
Oi. 

A remarkable work that achieves impressive results using state sequences is 
Wilke’s [Wilke94]. He introduced metrical properties into second order monadic 
logic and proved the decidability of an extensive fragment. He embedded all the 
known decidable formalisms (and much more) into this fragment thus reproving 
uniformly the decidability. 



7.2 The Trace Interval Model 

Another popular model is trace interval model. A trace interval is an cu-sequence 
(to, Co), • • • (In,Cn) . . . where U are disjoint intervals that cover A+ and U pre- 
cedes Ii+\. 

A trace interval represents a finite variability structure for MLO. Indeed, 
every t <E R+ is in exactly one of the intervals Ij and aj determines the value 
of the monadic predicates at t. This clearly defines a finite variability model. 
However, the same finite variability model has many distinct representations. So 
the formalisms that distinguish between representations of the same model are 
unreasonable. 

Even though a trace interval encodes all the information about the corre- 
sponding finite variability canonical model it may still be misleading if one tries 
to use it for a different model like the rationals Q. In the words of [AFH96] 
“MITL cannot distinguish the time domain of the reals from the time domain 
of the rationals”. In fact theorem 2. 4. 1.4 in [AFH96] says that an MITL for- 
mula 4> is satisfiable in the rational interval traces iff it is satisfiable in the real 
interval traces. (By the rational interval trace it is meant there an cu-sequence 
(to, Co), . . . ■ ■ ■ where U are disjoint intervals of the rationals with the 

rationals end-points that cover Q+ and U precedes h+i.) 

But the following TL formula is satisfiable in the reals and not in the ratio- 
nals. 



{X A <>-X) A □(^X^D^X) A ((X^<C>X) A 
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(By the first two clauses X holds for a prefix of the model and -lA holds in 
a suffix of the model; by the third clause X has no maximal element and ->X 
has no minimal element). Does theorem 2. 4. 1.4 in [AFH96] say that MITL is 
two weak to express the above formula. Of course not; it only shows that the 
rationals are not modeled adequately by the rational trace intervals. 

8 Conclusion 

We believe that we proved the case for the quantitative logic QTL and its pre- 
dicate logic twin QMLO. 

It is easy to modify the theory to deal with more general time lines. For the 
rational line Q we would need to require that the time unit is Archimedian: the 
sequence 0,0+1,0+1-t-l,... must be unbounded for every +1 function. A 
more general approach will replace the +1 function by a relation between pairs 
of points in time “^2 is_not_too_far_ahead_of ti” such that some obvious axioms 
hold. 

Future research must look for natural stronger modalities. A. Pnueli noticed 
that the following modality 

(f{to,X,Y) = <ti<t2<to + l) AX{ti) AY{t2)] 

is not definable in QMLO [HR99] . We can show that one may add modalities of 
the following form without losing decidability 



(3tl • ■■tn)[{to <h < ■ ■ ■ <tn <to + l) A 

i 

(note that cpi speaks only of tQ. But it is difficult to see from this what should 
be the next modality in the logic. 
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Abstract. Mazurkiewicz traces are a widely accepted model of concur- 
rent systems. We introduce a linear time temporal logic LTLf which has 
the same expressive power as the first order theory FO(<) of finite (in- 
finite resp.) traces. The main contribution of the paper is that we only 
use future tense modalities in order to obtain expressive completeness. 
Our proof is direct using no reduction to words and Kamp’s theorem for 
both finite and infinite words becomes a corollary. This direct approach 
became possible due to a proof technique of Wilke developed for the case 
of finite words. 

Keywords Temporal logics, Mazurkiewicz traces, concurrency 



1 Introduction 

The verification of programs is essential for the conception of critical systems, 
especially for concurrent systems. The model checking approach starts with the 
abstraction of the actual system into some automata based model. Then the 
specification to be checked is expressed in some suitable logic, mainly temporal 
logics. Finally, a tool (model checker) is used to determine whether the system 
(the automaton) meets its specification (satisfies the formula). 

Usually, concurrent systems are reduced to sequential ones by considering all 
possible linearizations of concurrent behaviors. Then, one can use both the tem- 
poral logics for sequences and the existing tools to specify and verify properties 
of systems. The main problem with this approach is the state explosion induced 
by these many linearizations. An alternative approach is to use truly concurrent 
models such as Mazurkiewicz traces and to introduce and study logics over these 
traces. Work along this line can be found in [1,12,13,14,16,19,20]. See also [3] 
for the general background of trace theory, and in particular [15] for traces and 
logic and [8] for infinite traces. 

The various linear time temporal logics differ by the kind of modalities allowed: 
future modalities (next, eventually, until, . . . ) and past modalities (previous, 
since, . . . ). For sequential systems, a erucial result states that linear time tem- 
poral logics are expressively complete, i.e., have the same expressive power as 
the first order theory of words FO(<). This is known now as Kamp’s theorem, 
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[9]. The result that we can avoid past tense operators was shown, however, much 
later; it relies on Gabbay’s separation theorem [6]. 

Since then simplified versions of the proof of Kamp’s theorem were found. Let us 
mention [2] , which contains an elegant proof based on Krohn- Rhodes decomposi- 
tion. The most recent development is due to Wilke [23] who gave an elementary 
proof based on the classical fact that FO languages are aperiodic and hence given 
by some counter-free automaton [10,17]. Our approach follows the same lines as 
Wilke’s proof for the corresponding result over finite words. 

Kamp’s theorem has been generalized by Ebinger [4] to Mazurkiewicz traces, 
but he used a temporal logic with both past and future modalities, and the 
proof failed for infinite traces. Then, Thiagarajan and Walukiewicz [21] have 
introduced a temporal logic LTrL for traces with the usual future modalities and 
also past tense modalities in the weak form of previous constants. They proved 
(via a reduction to the word case) that this logic is expressively complete, both 
for finite and infinite traces. It is open whether the fragment of LTrL without 
the previous constants is still expressively complete. A positive answer to this 
question was claimed for finite traces in [11], but the proof contained a serious 
flaw, which has not yet been fixed. 

In the present paper we work with a linear time temporal logic for traces having 
future modalities only. In addition to the classical next and until modalities, we 
introduce a new (but natural) operator {B )cp which means that we can reach a 
configuration satisfying cp by using actions from some given set B only. We can 
think that the operator works as a filter which is reflected in the index / in the 
notation LTLf. In the word case, {B )cp means nothing but {B)T U p and we 
can read {B )p as a simple macro. Hence over words LTLf becomes the classical 
linear time logic LTL. From this we may deduce that the new operator (if )p 
can be avoided in the case of direct products of free monoids, but up to now we 
do not know whether this is possible for traces, in general. 

We prove that LTLf has the same expressive power as the first order theory of 
traces FO(<). The result holds for both finite and infinite traces. This solves an 
open problem of [4,21] in the sense that we have a temporal logic using future 
modalities only. We would like to stress that, contrary to previous works, we are 
not reducing the problem to the word case. We give a direct proof for finite and 
infinite traces such that, formally, the result for words becomes a corollary. 

The hard part of the proof is to find an LTLf(A’) formula which is equivalent to 
some given FO(<) formula. For this, we use the equivalence between first-order 
and aperiodic trace languages [5]. 

All our constructions are effective, and logics like LTrL or our LTLf are clearly 
decidable, but apparently rather complex. The satisfiability problem of FO(<) 
is non-element ary in the word and in the trace case, whereas the satisfiability 
problem of linear time temporal logic is PSPACE-complete in the word case [18]. 
In the presence of concurrency the situation is even more complex. Walukiewicz 
[22] has shown that the satisfiability problem for the fragment without previous 
constants of LTrL is non-elementary over an independence alphabet with four 
letters. Hence the same statement holds for LTLf. 
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2 Preliminaries 

Throughout the first part we speak of finite traces only. The infinitary case is 
treated in Sect. 4. The separation will make it necessary to repeat some parts, 
which could be treated uniformly otherwise. We have decided to do so for at 
least two reasons: The result for finite traces is used in order to obtain the cor- 
responding result for infinite traces. Second, the subject is technically involved. 
So we prefer to postpone the notions needed to deal with infinite traces as long 
as possible hoping that the first part becomes then more easily accessible. 

By (if,/) we mean a finite independence alphabet where U denotes a finite 
alphabet and I C if x if is an irreflexive and symmetric relation called the 
independence relation. The complementary relation D = [Ux U) \1 is called the 
dependence relation. The monoid of finite traces M(if,/) is defined as a quotient 
monoid with respect to the congruence relation induced by I, i.e., M(if,7) = 
U /{ab = ba \ {a,b) e I }. We also write M instead of M(T\ I ) . For A C U we 
denote by the submonoid of M(if , I) generated by A: 

Ma = M(^,/ r\Ax A) = {x e I alph(x) C A}. 

A trace x € M is given by a congruence class of a word a\ - ■ ■ On € A where 
tti e if, 1 < n. By abuse of language, but for simplicity we denote a trace x; by 
one of its representing words ai • • • a„. The number n is called the length of x, it 
is denoted by |x|. For n = 0 we obtain the empty trace, it is denoted by 1. The 
alphabet alph(x) of a trace x is the set of letters occurring in x. A traee language 
is a subset ACM. The concatenation is defined as usual: 

KL = [xy eM\xeK,yeL}. 

The Kleene-star L refers to the submonoid of M which is generated by the set 
L. We have L = where LP = {1} and L* is the i-fold iteration of L 

with itself, i > 0. For A C A we have A = {x € M | alph(x) C A}, which is 
ambiguous, because A could also denote the free monoid generated by the set 
A. It will be clear from the context what we mean. 

Every trace ai • • • € M can be identified with its dependence graph. This is 

(an isomorphism class of) a node-labeled, acyclic, directed graph [V, E, A], where 
y = {1, . . . , n} is a set of vertices, each i £V is labeled by A(i) = a^, and there 
is an edge (i,j) € E if and only if both i < j and (A(i), A(/)) e D. In pictures 
it is common to draw the Basse diagram only. Thus, all redundant edges are 
omitted. 

Example 1. Let (A, D) = a b c, i.e., I = {(a, c), (c, a)}. Then the trace 

X = abcabca is given by 
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By min(x) and max(x) we refer to the minimal and maximal letters in the 
dependence graph. In the example above min(x) = {a} and max(x) = {a, c}. 
Formally: 

min(x) = {a G if I X G aM}, 
max(x) = {a G if I X G Ma}. 

For 5,(7 C if and t^G {C,=,D,yf} we define: 

1(B) = {a e B \ \/b e B : (a,b) e I}, 

D{B) = {a G 5 I 36 G 5 : (a, fe) G 5}, 

(Min # 5) = {x G M I min(x) # 5}, 

(Max # 5) = {x G M I max(x) # 5}, 

[B, (7] = {x G M I alph(x) = B, max(x) C C}. 

If in the notations above B (or (7) is a singleton, then we usually omit braces 
and write e.g. I (6) or Max = b. 

A trace language of the form K = B^b\ ■ ■ ■ B^J)k with A; > 0, is called a max-filter, 
if Bi = {bi , . . . , bk} for 1 < i < A;. In this case, we have max(x) = max(6i • • • bk) 
for all X £ K. The languages above (Max # B) and [B, C] are finite uni- 
ons of max-filters. For example, [B, C] is the finite union over all max-filters 
B^bi ■ ■ ■ Bf.bk such that 5 = {6i, . . . , bk} and Max(6i • • • 6fe) C (7. 

The syntax of the temporal logic LTLf(if) is defined as follows. There are a 
constant symbol T representing false, the logical connectives -■ (not) and V (or), 
for each a G 7f a unary operator (a) called next-a, for each 5 C if a unary 
operator (5 ) called B- filter, and a binary operator U called until. Thus, the 
syntax is given by: 

(/3 ::= T I -K/9 I (/3 V (/3 I {a)(f \ {B )(f \(fU (f, 
where a <E U and B C if. 

Usually, the semantics is defined by saying when some formula cp is satisfied by 
some trace z at some configuration (i.e., prefix) x; hence by defining (z,x) \= p. 
Since our temporal logic uses future modalities only, we have (z,x) \= p and 
only if (j/,1) \= p, where y is the unique trace satisfying z = xy. Therefore, we 
do not need to introduce configurations and it is enough to say when a trace 
satisfies a formula at the empty configuration, denoted simply hy z \= p. This is 
done inductively on the formula as follows: 

^ -L, 

z\=^p z\t= p, 
z \= py if2;|=(/9or2;|='i/', 
z \= {a)p if z = ay and y \= p, 
z\={B) p\i z = xy, X G Mb, and y \= 7, 

z \= pU if 2 ; = xy, y G M, y \= fi, and x = x x , x 1 implies x y \= p. 

As usual, we define Lm( 9 j) = {x g M | x |= (/?}. We say that a trace language 
L C M is expressible in LTLf(U), if there exists a formula p G LTLf(U) such 
that L = Lm(v^)- 
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Equivalently, we can define inductively the language as follows: 

Lm(-L) = 0 Lm(( 0')‘/^) = aLM(‘/j) 

LM[(“'‘d) = M \ Lm(‘/^) LM((-y )'^) = MbLm(‘/^) 

Lm(‘/^ V V') = U Lm(V') Uil)) = Lm(‘/J) U Lm(V’) 

where the until operator U is defined on trace languages by 

LIA K = {xy I X € M, y £ K, and x = x x , x ^ 1 implies x y (E Lj. 

As an easy exercise let us state the following lemma, which will be used fre- 
quently. 

Lemma 1. Let L C M be expressible in LTLf(i7) and B,C G S. Then the lan- 
guages (Min # B), (Max # B), [B,C], and [B,C]L are expressible in LTLf(A). 

The following operators are standard abbreviations. They serve as macros. 



T 


:= 


true, 


B)p 


:S' 

> 

jl 


for B C A, 


X'P 


= {Z)p 


neXt p, 


:F'p 


= TUp 


future (or eventually) p, 


Qt 




globally p. 



Remark 1. For comparison let us mention that the syntax and semantics of the 
logic LTrL defined in [21] is very similar; the difference is only that instead of 
the modalities {B )cp there is for each letter a € A a constant (a“^)T. Since 
the constant (a^^)T refer to the past, we need to use configurations to define 
its semantics: {z,x) \= (a^^)T if a € max(x). It is not clear whether there is a 
direct translation of LTLf(A’) to LTrL or vice versa. 



Remark 2. In the case of words, i = 0, the meaning of {B )p> is equivalent to 
the formula {{B)~V)U Thus, over words IB )^p is nothing but a simple macro. 
For traces this is not the case. We always have LM((i^ )t) C LM(((ii)T)W93), 
but the reverse inclusion fails in general: Let B = {b} and a € A’ such that 
(a, b) € /. Then 

Lm((& )W-XT) = b+^ {a,b} fee = LM(((fe)T) W ((fe)-XT)). 

The operator {B ) works like a filter, given a formula {B )cp the actions from 
B may pass (but nothing else) and what remains has to satisfy cp. It is open 
whether {B )cp can be expressed in terms of the other operators. 

There is an operator {B ) for all subsets of A, but not all of them are needed. 
For example, if M is a direct product of free monoids, then no {B ) is needed at 
all, see Step 2 in the proof of Thm. 2. 

Finally let us mention that the language LM((fe^ )p) has also a fixed-point defi- 
nition since it is the unique solution to the equation Z = Lm(v^) U BZ. 
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Remark 3. Later we shall perform an induction on the size of if leading to 
formulae Lp € LTLf(A) for A C if. We note that the interpretation over M(if,f) 
yields Lm. 4((/3) = LM((/?)nMA. Since = LmI-i JE(if \ ^)T) = Lm((^ )“'XT), 
a language Lm[^((/ 3) is expressible in LTLf(A’). Another trivial observation is that 
if "i/f € LTLf (if), then we can construct a formula V’a € LTLf(A) such that 

Lm(V’) n = Lm.4 (V’a)- 

The first order theory of traces FO(<) is given by the syntax: 

'p ::= Pa{x) \ x < y \ ^p \ p\/ p \ i^x)p, 

where a <E U and x,y e Var are first order variables. Given a trace t = [V,E,\] 
and a valuation of the free variables into the vertices a : Var — i V , the semantics 
is obtained by interpreting the relation < as the transitive closure of if and the 
predicate Pa{x) by A(a(x)) = a. Then we can say when (t,a) \= p. li p \s a, 
closed formula (a sentence), then the valuation a has an empty domain and we 
define the language Lm( 9 j) = {i € M | i |= p']. We say that a trace language 
L C M is expressible in FO(<) if there exists some sentence p € FO(<) such 
that L = Lm(‘/?)- 

Passing from a temporal logic formula to an FO(<) one is not very difficult. It 
is well-known or belongs to folklore. The transformation relies on the fact that 
a prefix (configuration) p of a trace t can be defined by its maximal vertices. 
Such a set of maximal vertices is bounded by the maximal number of pairwise 
independent letters in if. Therefore, a prefix inside a trace can be defined using 
a bounded number of first order variables. 

Our new modality (if ) yields no extra difficulty: For instance, if some LTLf (V)- 
formula p is equivalent to the FO-formula p, then the LTLf(if)-formula {B^)p 
can be expressed by the FO-formula 




where k = \B\ and p{xi, . . . ,Xk) is the classical relativization of the formula p 
to the vertices which are not in the past of x\, . . . ,Xk- Hence, we can state: 

Proposition 1. If a trace language is expressible in LTLf(V), then it is expres- 
sible in FO(<). 

As in the case of LTrL, this translation yields a non-elementary decision proce- 
dure for the uniform satisfiability problem of LTLf. (See also [7] for a modular 
decision procedure based on automata constructions.) For the lower bound, we 
can use [22] , since the lower bound is given there for the fragment of LTrL without 
the previous constant (a“^)T. Putting this together the result of Walukiewicz 
becomes: 

Proposition 2 ([22]). The satisfiability problem for both logics PTrL andlAAjf 
is non-elementary over Mazurkiewicz traces. 
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In the remainder we shall use the well-known equivalence between FO(<)- 
definability and aperiodic languages. Recall that a finite monoid S is aperiodic, 
if there is some n > 0 such that s” = for all s <E S. A trace language 
L C M is aperiodic, if there exists a morphism to some finite aperiodic monoid 
/i : M — ^ S' such that L = h~^{h{L)). 

Proposition 3 ([4,5]). A trace language is expressible in FO(<) if and only if 
it is aperiodic. 

3 Kamp’s Theorem for Finite Traces 

Theorem 1. A trace language is expressible in FO(<) if and only if it is ex- 
pressible in LTLf(i7). 

By Props. 1 and 3 it is enough to show that all aperiodic languages in M(i7, 1) 
are expressible in LTLf(if). This will cover the rest of this section. 

In the following /i : M — ^ S denotes a homomorphism to some finite aperiodic 
monoid S. A divisor of S' is a homomorphic image of some submonoid of S'. We 
shall use two simple facts. First, if /j : S' — ^ G is a homomorphism to some group 
G, then h{S) is trivial. Second, every divisor T of S is itself aperiodic. For a 
finite set (of states) Q we denote by Trans(Q) the monoid of mappings from Q 
to Q. The multiplication is the composition of mappings and the neutral element 
is the identity idg. Every finite monoid can be realized as a sub monoid of some 
Trans(Q) where \Q\ < |S|. Hence we assume /i : M — ^ S' C Trans(Q) and we 
proceed by induction on (|Q|, |A|). It is enough to construct a formula for h^^{s) 
where s € S' and ^ 0. If h{a) = idg for all a € A, which is in particular 

the case when \Q\ = 1, then s = idg and /i^^(idg) = M.{A,I) = Lm(T). 

Hence we may assume that h{b) ^ idg for at least one b e A and we fix such 
a letter b € A. The crucial observation here is that h{b) is no permutation of 
Q. Indeed, if h{b) were a permutation, then h{b) would generate a non-trivial 
subgroup, which is impossible since S' is aperiodic. Hence, h{b){Q) = Q for some 
Q CQ with \Q I < |Q|. 

Define A = A \ {b} and let g : ^ S be the restriction of h to the submonoid 

Myi C M. By induction on |A| we may assume that g^"^{u) is expressible in 
LTLf(A) (and hence in LTLf(A’) by Rem. 3) for all u ^ S. Since /j^^(s) = 
g^^{s) U (h^^(s) nMfeM), it is enough to construct a formula for h^^(s) nMfeM. 
With respect to the letter b we define two more subsets of M. 

r = {x £ Myi I min(x) C D{b)}, 
n = {x e Ma I max(x) C D{b)}. 

The notation U is chosen since Ub are exactly the pyramids of M where the 
unique maximal element is b. It should be noted that (bF) and {Ub) are in 
fact free submonoids of M, being infinitely generated if D{b) ^ {b}. We have the 
following unambiguous decomposition: 



MfeM = iiM7(b) fe(rfe) r. 
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This decomposition is best visualized by the following picture; it is in some sense 
the guide for the modular construction of the formula fi M6M. 




Each s € h{{rb) ) maps the subset Q to Q . Hence we may define subsets 
T,T C Trans(Q ) by T = {afg/l s G h{rb)} and T = {s|'q/| s G h{{rb) )}. 
Since h{{rb) ) is a submonoid of S, the set T is a monoid and T is a set of 
generators, the monoid T is a divisor of S, hence it is aperiodic. By T we denote 
the free monoid generated by the set T (here T is viewed as an alphabet). The 
inclusion T C T induces a canonical homomorphism e : T T which is called 
the evaluation. Since T is a submonoid of Trans(Q ) and |Q | < |Q|, we may use 
induction (although we might have |i/'| > |if|). Hence e^^(t) C T is expressible 
in LTLf(i/') for all t e T . (As a matter of fact, e^^(f) is a language of words in 
the free monoid T .) 

We need some further notations. The mapping a : Fb ^ T defined by a(x) = 
h(x)fQi induces a homomorphism a : (Fb) —1 F between free monoids. There- 
fore, we also have the morphism eo a : (Fb) —1 T . Note that for all x G (Fb) 
we have e o a(x) = h{x) (q/ . 

Now, for all u,v,w £ S and t £F C Trans(Q ) the product uvh{b)tw is a well- 
defined mapping from Q to Q, since h{b){Q) = Q . Hence uvh{b)tw is an element 
of S. Therefore, using the unambiguous factorization M6M = iTM/({,)6(T6) F, 
the language h^^{s) CiMfeM can be written as the following finite union: 

U (m) n il) (^5r^^(u) nMj(b)j fe (^o-^^((e^^(f))j (g-^{w)DFy 

uvh{b)tw=s 

It remains to show that if Li , T2 , L3 C are trace languages expressible in 
LTLf(H) and it K = a^^{K ) for some K C F being expressible in LTLf (!/'), 
then the language 



(Tini7)(T2nM,(6))6fr(T3nr) 

is expressible in LTLf(i 7 ). 

This is done in the following technical lemmas. 



Lemma 2. Let G LTLf(H). Then the language (LM^(‘/?)ni 7 ) 6 M is expressible 
in LTLf(A'). 
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Proof. The assertion is trivial for cp = P. By structural induction we have to 
consider formulas of type -up, V V’, {a)p, {B )p, and pU tf, where a e A and 
B C A. We deal with {B )p and pU tf only, since the constructions for the other 
formulas are simpler. 

• {B )p ■. We have 

(LM^((ii MniT)feM= (J [i^ ,i;(C 7 u{fe})]((LM^( 9 ?)niT)feMn[C 7 ,D(fe)]feM). 

B'CB,CCA 

• pU tf : We have 

(Lma {pB 'tf) n n)bM = ((Lma (a) n \ 6 M) u (Lm^ (V') n n)bM. 

To see this, consider first uvbw such that uv E II, v E Lm^(V’)i and where for 
all M = M M ,M 7 ^ 1 we have u v E Lm^( 93)- Then u v E II \ {1} and hence 
u vbw ^ bM. Therefore uvbvj is an element of the right-hand side. 

Now, let 2 ; be an element of the right-hand side. Consider a factorization z = uy 
with |m| minimal such that y E (Lm^ {'tjj)nII)bM. and for all u = m m with u ^ 1, 
we have u y E (Lm^ {p) fl n)bM \ feM. Then, y = vbw with v E Lm^ (V') C B and 
also b ^ alph(M). 

Consider a factorization u = uu with u 7 ^ 1. We have u vbw E H 

n)bM. We have to show that u v E II, because then u v E Lm^( 97), hence 
uv E ljMA{l’B'tp)r\n. Let us write u vbw = xbw with x E II. Since b ^ alph(u ) 
and V E n we have x = x v and u = x x for some x and some x independent 
of V and b. We show that x =1. Assume on the contrary that x 7 ^ 1. Then 
|x I < |m I and z = (u x )(vbx w) is another possible factorization contradicting 
the minimality of |u|. 

Lemma 3. Assume that C x {b} C / and let p E LTLf(C'). Then the language 
Lmc (‘/^)(M in = 6 ) is expressible in LTLf(A). 

Proof. Again, we proceed by structural induction on p. Everything is straight- 
forward, up to the until-operator. 

• pU tf: We have 

LucipB tf){Mm=b) = (^LMc( 9 ^)(Min=fe)j W (^LMc(V’)(Min=fe)j . 

The inclusion “C” is trivial. Therefore let x be an element of the right-hand side. 
Consider a factorization z = uy with |u| minimal such that y E LMc(V')(Min =b) 
and for all m = u u with u 7 ^ 1, we have u y E Lmc ((/ 7 )(Min =b). Then, y = vw 
with V E Lmc(V') and Min(u;) = {b}. 

Assume that alph(M) ^ C and let m = m m with u E dMc and Min(w ) = {d} 
for some d ^ C. Since d E min(u vw) C C U {b}, we must have b ^ d. Hence 
u = b since C x {b} C 1. Therefore z = u (vbw) is another possible factorization 
of X contradicting the minimality of |u|. 

It follows that alph(M) C C and for all u = u u with u 7 ^ 1, (m v)w is the 
unambiguous factorization in Me (Min = 6 ). We deduce that u v E Lmc( 9 ^) since 
u vw E LMc(A)(^ia 




An Expressively Complete Temporal Logic 197 



Lemma 4 . Let Li,L2,L^ C be traee languages expressible in LTLf(A) and 
let K C (Fb) be a traee language sueh that KF is expressible in LTLf(A’). Then 
the language 

(Li n il) (La n bK{Lsn F) 
is expressible in LTLf(A’). 

Proof. Since the product II &M is unambiguous, we can write: 

(Li n n){L2 n m^( 6 )) 67 C(L 3 n r) = (Li n n)b{L2 n m^(6))a:(L 3 n f) 

= (Li n iT)6M n iTfe(L2 nM7(6))L:(L3 nr). 

By Lemma 2 and 1 it is enough to show that fe(L2nM/(b))K(L3nr) is expressible 
in LTLf(A). Since the product M/(b) (Min = 6 ) is unambiguous, we have 

b{L2 n {Ls n r) = (La n M/(b))6Lr(L3 n L) 

= (La nMj(6))(Min=fe) nM/(6)6L:(L3nL). 

By Lemma 3 it is enough to consider K{Ls n L). Finally, since the product 
(Max D b)F is unambiguous, we obtain if 1 G /L (which is equivalent with 
1 € KF) 

k{L3 n l) = (L3 n L) u (l:l n (Max d 6)(L3 n l)) . 

and if 1 ^ L: 

K{Ls n L) = KF n (Max D b){L3 n L). 

The assertion follows from Lemma 1 since (Max D fe) is a finite union of max- 
filters, and F is expressible in LTLf(if). 

By Lemma 4 it remains to show the next lemma. 

Lemma 5 . Let € LTLf (!/'). Then the trace language a~^{LT{F))r is expres- 
sible in LTLf(i 7 ). 

Proof. For a formula cp € LTLf(l/') let us denote in this proof by a~^{(p) the 
language (T^^(Lt(v^))- We use structural induction on p, the basis p = 1 . being 
trivial. Since T is a free monoid, it is enough to consider formulas of the form 
—ip, py %f, (t)p where t G T, and pU %f. 

• -i(/9 : We have (j^^{-ip)F = ((Lfe) \cj^^((/ 3))L = (Lfe) F \ (j^~^{p)F since the 
product (Lfe) F is unambiguous. Moreover, the language (Fb) F = (MinCLl(fe)) 
is expressible in LTLf(if) by Lemma 1 . 

• p\/ 'tp : Trivial. 

• (t)p where t G T: Using the unambiguous decomposition 

{Fb){Fb) F = (MinCL>(fe)) nLrM/(b)fe(Lfe) F 

we deduce that 

= IJ (MmCD{b)'^ r\(^g^^{u)r\II^(g^^{v)r\Mp^b)^ba^^{p)F. 

uvh{b)=t 
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By induction, is expressible in LTLf{U). We may apply Lemma 4 to 

conclude this case. 

• cpU V': An until-formula cpU'tp over words is equivalent with 'tpV cp A X.{<pU V')- 
Thus it is enough to consider tp). We claim that 

(j-\x{A^i’))r=irb) rn ^(^ba-\p)r U (Min J^b)^ U (ba-^ij)r'^ 

To see the claim, let first vj = u\b- ■ -Ukbz € (J^'^(X(aU tp))r such that 1 < A;, 
Ml, . . . , Mfe, z G r, and ti • • • tfe € Lt* (X(aU V’)) where ti = cr(uib) for 1 < i < A;. 
For some 1 < j < A; we have tj+i • • • Afe € T^t* (V') and for all 2 < i < j we 
have ti'-'tk € Lt»((/ 3). We can write buj+ib- ■ -Ukbz G ba~^('tp)r. Consider 
a factorization uib- ■ -Uj^ibuj = xy such that y ^ 1. We have to show that 
min(y) = b implies y G ba^^((p)r. However this is clear, because min(y) = b 
implies y — bui ■ ■ ■ buj for some 2 < i < j. 

Now, let w be an element of the right-hand side. Since the factorization (Tfe) T is 
unambiguous, there is a unique decomposition w = Uib- ■ ■ u^bz with m ^, z £ P. 
For 1 < i < k, we let ti ~ o(uib). Let 1 < j < A; be minimal such that 
buj^\b---Ukbz G ba^^(tp)r. We must have buib---Ukbz G ba^^(ip)r for all 
2 < A < j. It follows that Ai • • • Afc G Lt-»(X((/3W V'))- 

This finishes the proof of Thm. 1. 



4 Kamp’s Theorem for Infinite Traces 

An infinite trace is an infinite dependence graph [V, E, A] such that for all j & V 
the set fj = {i&V\i<j}is finite. A real trace is a finite or infinite trace. 
The set of real traces is denoted by K(i7, 1) or simply by K. For a real trace 
X = [V, E, A] the alphabet at infinity is defined by the set of letters occurring 
infinitely many times in x, i.e., alphinf(x) = {a G A | |A^^(a)| = oo}. We refer 
to [8] for details about infinite traces. 

The aim of this section is to generalize Kamp’s theorem for infinite words (i.e., 
for cu- words) to real traces. The expressiveness result for cu- words is shown in [6] . 
It is worth mentioning that we do not use this fact on cu-words, which becomes 
again a formal corollary. 

We shall use the syntax of LTLf(A). The semantics of LTLf(A) is defined exactly 
as in the finitary case. For each Lp G LTLf(A) there is a language Lk((/ 3) and 
we have Lm(v^) = Lk((/ 3) n M. Moreover, we can express M as the language 
Lr(JC--XT). 

Recall also that x £ L lA K , L, K CM means that there are y,z with y G M 
such that z £ K and for all y = y y , y f 1 we have y z £ L. Clearly, as in the 
finitary case h]^{pU tp) = Lk((/9) U Lk(V’). 

Theorem 2. A language over real traces L C K(A,7) is expressible in FO(<) 
if and only if it is expressible in LTLf(i7). 
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As for finite traces, we can pass from an LTLf(A’) formula to a FO(<) formula. 
It is also well-known that a language of real traces is FO(<) definable if and only 
if it is aperiodic [5]. Let us recall the notions of recognizable and of aperiodic 
real trace language. 

Let /j = M — 1 S' be a morphism into some finite monoid S. For x, y € K, we say 
that X and y are /i-similar, denoted by x y if we can find infinite factorizations 
X = X\X2 ■ ■ ■ and y = j/ij/2 • • • into finite traces such that h{xi) = h{yi) for all 
i > 0. A real trace language L C K is recognized by h if it is saturated by '^h- A 
real trace language L C K is aperiodic if it is recognized by some morphism into 
some finite aperiodic monoid. 

We denote by the transitive closure of which is therefore an equivalence 
relation. It is well-known (by a Ramsey-type argument) that there are only 
finitely many equivalence classes [x]~^ = {y € K | y x} and they form a 
finite partition of K. 

Remark 4- Working with real traces it is convenient to consider languages L 
which contain simultaneously finite and infinite traces. We allow to write a finite 
trace x € M as an infinite product x = xiX 2 • • • where x^ = 1 for almost all i. 
Thus, it may happen that x y where x is finite and y is infinite. 

This convention is a matter of taste, but it is quite natural in the presence of 
concurrency where we have independent components. Some of them may stop 
and other may run forever. 

The remaining of this section consists in the proof that for each aperiodic trace 
language L C K, there exists a formula in LTLf(i7) such that L = L® ((/?). 
Clearly, this will show Thm. 2. Let /j = M — t S' be a morphism to some finite 
aperiodic monoid S . We can realize S as a submonoid of some transformation 
monoid Trans(Q). We show by induction on (|Q|, |A’|) that every language L C K 
reeognized by h is expressible in LTLf(i7). We use that for each s £ S the 
language h^^{s) is expressible in LTLf(A’) (Prop. 3, Thm. 1). 

Step 1 : Assume that h{a) = idg for all a € A’ (this is in particular the case 
when \Q\ = 1). Then h reeognizes only two languages: K and 0 which are both 
expressible in LTLf(A') by T and J. respectively. 

Step 2 : Assume that U = Ai U U2 where A\ , U2 are nonempty subsets of 
U such that Ai x U 2 C 1. For i = 1,2 consider = M(A'i,7 n Ai x Ui), 
Ri = R(Ap/ n Ai X Si), and hi : ^ S the restriction of h to M^. We claim 

that L is a finite union of products of the form L 1 L 2 where L\, L 2 are recognized 
by hi,h 2 respectively. 

Let X € L, we can write x = X 1 X 2 with xi € Ri and X 2 € R 2 - For i = 1,2, let 
Li = [xi]~^, . Clearly, Li is reeognized by hi and x e L\L 2 - Now, for i = 1,2, 
let yi,Zi e Ri be such that y^ A- Since Ai x A 2 C 7, it is easy to see that 
J/iJ /2 '^h z\Z 2 - We deduce that L 1 L 2 C L. The claim follows since there are only 
finitely many equivalence classes under and • 

Now, we can conclude the second case. Using the induction on |A| we know that 
Li and L2 are expressible in LTLf(Ai) and LTLf(A’ 2 ) respectively. We deduce 
that L is expressible in LTLf(A) using Lemma 6. 
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Lemma 6. Fori = 1,2, let Li CRi be a trace language expressible in LTLf(iv’i). 
Then the language L 1 L 2 is expressible in LTLf(2j’). 

Proof. The product K 1 K 2 is unambiguous and we have L 1 L 2 = (LiK 2 )n(KiL 2 ). 
The result follow since we can show by structural induction that for each formula 
Lp in LTLf(i7i) we have Lm((/3) = Lm^((/3)K2- 

Step 3: For a subset AQ U we denote by A its complement, A = and for 

{C,=}, we define (Alphinf A) = {x e K | alphinf(x) # A). We show that 
if A is a proper subset of A then L n (Alphinf C A) is expressible in LTLf(A). 
For s <E S we let L(s) = [y £ | h~^{s) ■ y A L ^ We first show that 

L n (Alphinf C A) = (^ (/i^^(s) n (Max C A))L(s). 

s S 

Let z £ L A (Alphinf C A). Using the unambiguous decomposition (Alphinf C 
A) = (Max C A)K^ we can write z = xy with x € (Max C A) and y € Let 
s = hfx), we obtain z = xy £ {h~^{s) n (Max C A))L(s). 

Conversely, let s € S', x € h^^{s) fi (Max C A) and y € L(s). Let x € /i^^(s) 
be such that x y e L. Since xy x y and L is recognized by h we deduce that 
xy € L. Moreover, alphinf(xy) C alph(y) C A. 

Then, we show that L{s) is recognized by the restriction of h to Indeed, 
let y,z e K-a be such that y '^Ha Note that this implies y z. Assume that 
y € L{s), then there exists x € h^^{s) such that xy € L. Since xy xz, we 
deduce that xz £ L and then 2 ; € L{s). 

From the finitary case we know that each language /j^^(s) is expressible in 
LTLf(A’). So is the language (Max C A) as a finite union of max-filters. Using 
the induction on |A|, we deduce that the language L{s) is expressible in LTLf (A). 
From Lemma 7 we conclude that L fi (Alphinf C A) is expressible in LTLf (A). 

Lemma 7. Let A C A and let K CM and L C be trace languages expressi- 
ble in LTLf(A) and LTLf (A) respectively. Then the language (Ain (Max C A))L 
is expressible in LTLf (A’) as well. 

Proof. First the product (Max C A)Kyf is unambiguous and we have 

(A n (Max C A))L = {K A (Max C A))Ra n (Max C A)L. 

The language (Max C A) is a union of max-filters. Hence, by Lemma 1, the 
language (Max C A)L is expressible in LTLf(A). 

We show now by induction on that the language (Lm( 93) H (Max C A))Ka is 
expressible in LTLf (A). The proof is similar to that of Lemma 2. 

• The cases A and cpC 'tp are trivial. 

• —icp : Since the product (Max C A)Kyf is unambiguous, we have 

(Lm(“'A) C (Max C A))Ka = (Max C A)Ka \ (Lm(a) C (Max C A))Ka. 

Moreover (Max C A)Kyf is the set of traces such that the alphabet at infinity is 
contained in A and is clearly expressible in LTLf (A). 
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• {o)lp : Follows from Lemma 1 by writing (Ljvi[((a)‘/3) H (Max C A))K^ as 

a(^(LM(93) n (Max C A))Ka n [C, . 

{CCE\a AUD(C)} 

• {B )ip : Similarly, we can write (LM((-y )f) H (Max C A))K^ as 

U [B ,AU D{C)] ((Lm( 9^) n (Max C Z))Ka n [C, A]Ra) ■ 

B'CB,CCS 

• (fU : We have 

(LM(‘/^ZLV’)n(Max C A))Ka = (LM(‘/^)n(Max C A))KAZ^(LM(V')n(Max C A))Ka. 

Step 4 : We may now assume that the alphabet S is connected and we show 
that for some language L expressible in LTLf(A’) we have 

L n (Alphinf = S) C L CL. 

We proceed as for finite traces by choosing a letter b £ U such that h{b) A idg- 
We know that Q = h{b){Q) is a proper subset of Q. We let A = A’ \ [b], 
77 = {x € Myi I max(x) C D{b)} and L = {x € | min(x) C D{b)}. For s € S' 

we define L(s) = {y G K | h^^{s) ■ y Cl L A 0}- Since L is recognized by h, we 
deduce easily that L{s) is recognized by h and h^^{s)L{s) C L for all s G S. 
Now we claim that L n (Alphinf = A) C L CL with 

L = (J {h-\u)nn){h-\v)nMnh)){L{uv)n{br)°^). 

u,v S 

Since A’ is connected and by the factorization (Alphinf = A’) C iTM/({,)(6L)°° 
which is unambiguous, the first inclusion L n (Alphinf = A’) C L follows easily. 
The second inclusion is clear since h^^{s)L{s) C L for all s <E S. 

We use the definitions and notations introduced earlier for the sets T,T C 
Trans(Q ), the morphisms e : T — 1 L and a : (Bb) —1 T and we extend 
a : (Lfe)°° —1 7'°° naturally. 

For 7L C K recognized by h we define 

K = {cr(x) I 6x G l: n fe(Lfe)“} C T°°. 

We show that 

1) K nb{rb)^ =ba~^{K ) 

2) K is recognized by the morphism e : T — ^ L . 

For the first point, one inclusion is clear. Conversely, let y = y\by2b- ■ ■ G a^^{K ) 
with yi £ r and let bx £ K D b{Fb)°° be such that a{x) = <j{y). We write x = 
x\bx2b- ■ ■ with Xi G L. For all i we have h{xib)\Qf= a{xib) = <j{yib) = h{yib)\Qi 
and we deduce that h{bxib) = h{byib). It follows that bx bz by with 
z = x\by2bx^byib ■ ■ ■. Since bx £ K and bx by, we deduce that by <E K and 
we have proved the converse inclusion since by G fe(Lfe)°°. 
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For the second point, let u,v <E be such that u v. We write u = uiU 2 ■ ■ ■ 
and V = V 1 V 2 ■ ■ ■ with e(uj) = e(uj) for all i. Assume that u £ K and let 
bx = bx\bx 2 b- ■ ■ £ K with Xib € (Ffe) and a{xib) = Ui. Let y = y\by 2 b- ■ ■ with 
yib € {rb) and a{yib) = Vi- Then, for all i we have h{xib)\Qi= e{ui) = e{vi) = 
h{yib)\Qi and therefore h{bxib) = h{byib). Hence, we have bx bz by with 
2; = Xiby 2 bx^by 4 b ■ ■ ■ and therefore bx by. Since bx £ K which is recognized 
by h, it follows that by & K and v = <j{y) G K . 

We have proved that A is recognized by the morphism e : 7 ' -^T C Trans(Q ). 
We deduce by induction on \Q\ that K is expressible in LTLf (i/'). Using Lemma 9 
(below) we deduce that K n b{rb)°° = ba^^{K) is expressible in LTLf(i7). 
Finally, using Lemma 8, we deduce that L is expressible in LTLf(A’). 

Lemma 8. Let Li,L 2 C M and L3 C be expressible in LTLf(i7). Then 

the language {Li niI)(L2 nM/(b))L3 is expressible in LTLf(A’). 

Proof. Similar to that of Lemma 4. We use the decomposition 

{Li n n){L 2 n M/(^))L 3 = (Li n n)bM. n n{L 2 n M/(^))(Min = fe) n My^L 3 . 



Lemma 9. Let K C "i'°° be a language expressible in LTLf(i/'). Then the lan- 
guage a~^{K) is expressible in LTLf(A). 

Proof. Similar to that of Lemma 5 and therefore omitted for lack of space. 
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Abstract. We propose a calculus of explicit substitutions with de Bruijn 
indices for implementing objects and functions which is confluent and 
preserves strong normalization. We start from Abadi and Cardelli’s 
calculus [1] for the object calculus and from the A^,-calculus [20] for the 
functional calculus. The de Bruijn setting poses problems when encoding 
the A^j-calculus within the ^-calculus following the style proposed in [1]. 

We introduce helds as a primitive construct in the target calculus in order 
to deal with these difficulties. The solution obtained greatly simplihes the 
one proposed in [17] in a named variable setting. We also eliminate the 
conditional rules present in the latter calculus obtaining in this way a 
full non-conditional hrst order system. 

1 Introduction 

The object oriented paradigm is heavily used in the software engineering process. 
The simplicity of the underlying ideas makes it especially suited for resolving 
complex tasks. However, since no widespread consensus on its theoretical foun- 
dations has been reached, rigorous reasoning is difficult to achieve. In fact due 
to its success in software development the rapid evolution of object oriented 
languages has converted the task of formulating a formal calculus capturing the 
general principals of the paradigm into an interesting problem. In this direction, 
the calculi introduced by Abadi and Cardelli [1] constitute a simple yet powerful 
formalism. 

The core untyped calculus presented in [1] is called the ^-calculus. This cal- 
culus defines objects as collections of methods and supports method update, thus 
providing mecanisms for inheritance by embedding. It also captures the notion 
of self, a name which allows a method to refer to its host object. These pri- 
mitive constructs allow the representation of a vast amount of object oriented 
features, including classes, traits, and multiple inheritance. Furthermore, it may 
be extended into a typed setting. 

Evaluation in the ^-calculus is accomplished by means of reduction rules and 
substitution. As in the lambda calculus, substitution is defined as an atomic 

J. Flum and M. Rodriguez-Artalejo (Eds.): CSL’99, LNCS 1683, pp. 204—219, 1999. 
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operation which does not form part of the calculus. Therefore, any implemen- 
tation has to deal with its computation. This is not a trivial task, in particular 
in a setting where variables are represented by names (as is usually done). Thus 
inevitably, a gap arises between theory and implementation. Calculi of explicit 
substitution eliminate this gap by decomposing the substitution process into 
more atomical parts and incorporating the behaviour of these parts as new ope- 
rators in the calculus. This has the added benefit that we obtain a finer grained 
control on the computation of the substitution, providing for example tools for 
studying refinement of proofs in type theory or the theory of abstract evaluation 
machines. 

Explicit substitution calculi arise with the study of pioneering calculus 
[2], The idea is simple: the notion of substitution used to define /?-reduction in 
the lambda calculus takes place at a meta-level, explicit substitution calculi add 
new operators, and reduction rules for these new operators, so that substituti- 
ons may be computed at the object-level. Explicit substitution constructors thus 
implement substitution within the calculus, drawing the theory closer to the im- 
plementation level. Abadi, Cardelli, Curien and Levy used indices, as introduced 
by de Bruijn in [8], to represent variables and introduced also a typed version of 
X^. Other calculi of explicit substitutions are [13], A„[20], A^ [14], X^ [11], 
A^ [23], A^ [21], and X^ [26]. All but the last two of these calculi have been 
formulated with de Bruijn indices, A^ uses de Bruijn levels and X^ uses variable 
names. They have all been studied in the setting of the lambda calculus. At- 
tempts to study explicit substitutions in a general setting are the Explicit CRS 
[5], based on the higher order rewriting formalism CRS [18], and the eXplicit 
Reduction Systems [24]. These formalisms although defined in a higher order 
rewriting setting deal with a fixed “built in” explicit substitution calculus [U in 
Explicit CRS and in XRS). This rises naturally the question of the generality 
of these formalisms as theories of explicit substitution. In particular, we shall 
see below that the calculus of explicit substitutions implementing the ^ object 
oriented language fits in neither of these schemes. 

In this paper we provide an implementation language for object oriented 
programming as formalized by the ^-calculus. We introduce the untyped <,dbes~ 
calculus, an explicit substitution calculus in a de Bruijn indice setting which 
is confluent and preserves strong normalization. Abadi and Cardelli’s ^-calcu- 
lus allows the execution of lambda calculus expressions by means of an elegant 
translation which requires the use of fields (see section 4). Although it does not 
provide fields as primitive constructions they can be simulated. A brief analysis, 
as discussed in section 5, shows that this simulation is not well adapted when 
variable names are replaced by de Bruijn indices and explicit substitutions are 
incorporated. The ^DB£;s-calculus introduces fields as primitive constructs in the 
language, thus allowing to merge both the object oriented language and the 
functional lambda calculus in the spirit of [1]. 

The use of de Bruijn indices by encoding variable names with numbers avoids 
having to deal with a-conversion, thus simplifying the associated reduction re- 
lation. 
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Most importantly, the analysis pertaining to the merging of the object ori- 
ented language and the functional lambda calculus while retaining the spirit of 
the aforementioned translation revealed [17] that two different notions of substi- 
tution were necessary: Ordinary Substitution and Invoke Substitution. Ordinary 
Substitution is used to perform evaluation of methods and may be related to 
the usual notion of substitution which is made explicit in calculi for the lambda 
calculus. Whereas Invoke Substitution is used to implement functions as objects 
and reports a different behaviour. Also, some interaction between both types 
of substitutions must be specified. Therefore, higher order rewriting formalisms 
such as CRS [18], Explicit CRS [5] or XRS [24] do not cater for this difference. 
Consequently, the ^DB£;s-calculus is not an instance of any of these formalisms. 

The work reported here is very much in the spirit of [17]. There a calculus 
of explicit substitutions in a named variable setting for the ^-calculus, called 
<,ESi is defined. The interaction between Ordinary and Invoke substitution is 
easier to express since one may specify conditions on free variables naturally. 
Whereas in a de Bruijn setting the situation is more complex since conditions 
on free variables imply adjustments on indices. The solution we have adopted by 
incorporating field constructs allows us, in contrast to [17], to do away with the 
conditions on free variables, thus obtaining a non-conditional interaction rule. 
Also, the calculus obtained here is a first order calculus. No binding operators 
are needed. As remarked above, just as the ^es calculus is not an instance of 
Explicit CRS, the ^DB£;s-calculus is not an instance of an XRS. 

This paper is organized as follows. Section 2 recalls the main concepts and 
definitions of the ^-calculus. Section 3 introduces the ^-calculus with de Bruijn 
indices, called ^i;i^-calculus. Section 4 is devoted to the ^-calculus with de Bruijn 
indices and fields, the ^^^-calculus. Here we introduce the syntax, we prove con- 
fluence and finally we show how it relates to the ^p^-calculus. Also the invoke 
substitution is defined. Section 5 defines de ^^^-calculus with explicit substi- 
tutions, called ^DB£;s-calculus. The following section deals with the encoding 
of lambda calculus with explicit substitutions in the ^DB£;s-calculus. Section 
7 proves the main properties of <,dbes'- confluence and preservation of strong 
normalization. Einally, we conclude and suggest future research directions. 



2 The ^-Calculus 

This section presents the ^-calculus as defined in [1]. We have at our disposal 
an infinite list of variables denoted x,y,z,. . ., and an infinite list of labels de- 
noted The labels shall be used to reference methods. An object is 

represented as a collection of methods denoted li = g[xi).ai. Each method has 
a reference or method name /j and a method body The labels of an 

object’s methods are assumed to be all distinct. Operations allowed on objects 
are method invocation and method update. A method invocation of the method Ij 
in an object [fj = is represented by the term [/j = . 

As a result of a method invocation, not only the corresponding method body is 
returned but also, this method body is supplied with a copy of its host object. 
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Thus method bodies are represented as where ^ is a binder that binds 

the variable Xi in . This variable called self will be replaced by the host object 
when the associated method is invoked. It is this notion of 5e// captured by the 
^-calculus that makes it so versatile. The other valid operation on objects is 
method update. A method Ij = in an object o may be replaced by a new 

method /'■ = thus resulting in a new object o' . 

The terms of the ^-calculus, denoted 7^, is given by the following grammar 
a ::= x \ a.l \ a <\ if = <;{x).a) \ \fi = . 

A variable convention similar to the one present in A-calculus is adopted: 
terms differing only in the names of their bound variables (i.e. a-equivalent) are 
considered identical. 

We say that x is a variable, a.l is a method invocation, a <] (I = ^(x).a) is a 
method update and \li — "”] is an object. 

In order to introduce reduction between terms the notions of free variables 
and substitution are defined as in [1]. The result of substituting a free variable 
X in a term a for a term b shall be denoted a\x t— fe}. 

The semantics of the ^-calculus, referred to as the primitive semantics in [1], 
is defined by the following rewrite rules: 

o.lj — ^ c*} 7 G f..n 

o < {Ij = y(x).a) — [Ij = ?(x).a, li = j G l..n 

where o=[li = ^(xij.ad^i""]. 

The first rule defines the semantics of method invocation. The result of in- 
voking the method Ij (a “call” to method <,[xj).aj) is the body of the method 
Uj where the self variable has been replaced by a copy of the host object. The 
second rule defines the semantics of method update. Note that the substitution 
operator is not part of the ^-calculus but rather a meta-operation. 

As regards the expressive power of this calculus, it is shown in [1] that lambda 
terms can be encoded as objects and that /?-reduction can be simulated by 
reduction. 

Definition 1. The translation -<-< . >->- from X-terms to 7^ is defined as: 

AN X >->- =def X 

AA Ax. a >->- =def [axg = <,[z).z.arg,val = <,[x). AA a AA {x t— x.argf] 

AA ab AA =def AA a AA • AA h AA 

where c» d =def (c <1 {a,rg — <^[y).d)).val vnth y ^ FV (7) 

It is then proved for A-terms a and b that if a — >f)b then AA a, A> — AA 
b AA. 

3 The ^-Calculus a la de Bruijn (^£>B-Calculus) 

Here we introduce the ^calculus in a de Bruijn setting. N.G.de Bruijn in- 
troduced a notation for lambda terms which deals with the problem of ha- 
ving to rename bound variables when implementing mechanized provers [8]. 




208 



E. Bonelli 



Instead of labelling bound variables with names (as above) variables are la- 
belled with natural numbers. This number is usually referred to as a de Bruijn 
index. If a term is viewed as a tree, an index n stands for a variable bound 
by the n-th binder starting from the position of the index. For example, the 
term [/i = = ?(zi). 2 ;i], ^4 = ?(x 2 ).j/ 2 ] is represented as 

[h = ?(P 2 = ?( 2),^3 = ?(!)]), ^4 = ?(2)]' Note that free variables are represented 
by indices greater than the number of binders above it, thus a variable assigned 
an index n that has rn sigmas above it refers to the [n — m)-th free variable 
(in a preestablished ordering on the set of variables). The advantage attained is 
that there is no longer any need to perform renaming of bound variables. Ne- 
vertheless we must take care of index adjustments: if a substitution drags a term 
under a binder, its indices must be adjusted in order to avoid unwanted capture 
of indices. 

The terms of the ^-calculus a la de Bruijn (the yp^-calculus), denoted 
are characterized by the grammar a ::= p \ a.l \ a <] (I = ?(a)) | [h = 
where p is a natural number (IN) greater than zero. We shall use underlined 
natural numbers for indices. 



Definition 2 (Ordinary Substitution). Let a and b be pure terms and n> 1, 
The substitution of a by b at level n is defined as follows: 

[k = ?(ai ) ^ b} =def [k = ?(ai{n+ 1 ^ b}) 

d.l{n 4— b} —def d{n t— b}.l 

d <J {I = ^(c)){n 4— b} =def d{n t— 6} < (/ = ^(c{n + 1 t— fe})) 

{ p — 1 if p > n 
Uf{b) if p = n 
P if p < n 



where for every i > 0 and n > 1, Uff[.) is an updating function from, terms 
in to terms in defined as follows: 



(7f(p, =?(a,) 
Uf{a.l) 

Nf(a<(/ = ,(c))) 
Uf^{p) 



])=def [k=^{Uff,{a.)) 

=def 

=defUr{a)<{l^,{Ulf,{c))) 
( p n — 1 if p > i 
( p if P <i 



We now define the appropriate reduction rules using the notion of substitu- 
tion defined above. 



Definition 3 (Reduction in the ^cs-calculus). Reduction in the <,BB-calcu- 
lus is defined by the following rewrite rules: 

[k = ‘i{bi) bj{l ^ [k = i,{bi) 

[k = ‘i{bi) <] {Ij = ?(c)) — [Ij = ^(c), k = <,{bi) 

Notice that substitution is still a meta-operation in this calculus, completely 
external to the reduction rules of the formalism. 
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4 The ^-Calculus a la de Bruijn with Fields (^^^-Calculus) 

The ^p^-calculus is a straightforward extension of ^i;i^-calculus. It is formulated 
in preparation for the introduction of explicit substitutions in Section 5 and shall 
also be used for proving some properties of this calculus of explicit substitutions. 

From a general standpoint an object may be regarded as an entity encap- 
sulating state (fields) and behaviour (methods) in an object-oriented language . 
These methods allow the object to modify its local state as well as interact with 
other objects. Let us concentrate on fields. Consider an object calculator that 
possesses a field which allows the user (another object) to store some interme- 
diate result. For this the object interface includes a method save(n) where n is 
the number to be stored. Also, in order to retrieve this value it includes a method 
recall. Thus one would expect the equation calculator . save (n) .recall=n 
to be true. This is characteristic of the behaviour of fields. As mentioned in [1] 
the ^-calculus does not include field contructs as primitive. Nevertheless, me- 
thods that do not use the self variable may be regarded as fields. Indeed, let b 
be a term in the ^-calculus such that it has no occurrence of a variable x. Then 
we have [/ = ?(x).6].I — >^b{x t— [/ = ?(x).6]} = b Thus we obtain exactly b, the 
body of the method I = <,[x).b. 

Now consider the setting where variables are represented no longer by variable 
names but by de Bruijn indices. Then we could attempt to proceed as above. 
Consider a term b in the ^i;i^-calculus such that 1 ^ FV[b). Then we have, 
[I = <i{b)].l — t— [/ = ?(h)]} = b~ where b~ represents b with free indices 
decremented in one unit. The result obtained is not the same as the body of the 
method I = y(h). 

Thus we may simulate fields in ^cs-calculus by representing them as methods 
I = ?(h^) where represents b where all free indices are incremented in one unit. 
Nevertheless, we shall introduce fields as primitive constructs in the language. 
The reason for doing so is that when explicit substitutions are introduced into 
the calculus and the translation of (an explicit substitution version of) the A- 
calculus into this extension studied, field simulation may no longer be performed 
(c.f. Section 5). 

Therefore in our de Bruijn setting we incorporate, as a primitive notion, that 
of a field. The terms of the ^-calculus a la de Bruijn with fields (hereafter the 
^^^-calculus), denoted are called pure terms and are characterized by the 
following grammar: 



a ::= p \ a.l \ a <] {ra) \ 
m ::= I = g \ I := a 
g ::=?(a) 

where p is a natural number greater than zero. 

An object is constructed by a list of methods and fields. A method is denoted 
“/ = p” where I is its label and g its body. A field is denoted “/ := a” where I is 
its label and a its body. Note that we may override a method with a field and 



vice vers a. 
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We now define the appropriate reduction rules using the notion of substitu- 
tion defined above. 

Definition 4 (Reduction in the ^p^-calculus). Reduction in the calcu- 
lus is defined adding the following rewrite rules to the rewrite rules of Definition 
3: 



< {h ■■= «) 







iE l..n,i^j 1 



Notice that substitution is still a meta-operation in this calculus, completely 
external to the reduction rules of the formalism. 

The ^^^-calculus is confluent. This may be proved using the proof technique 
presented in [27], a variation of the Tait-and-Martin Ldf technique. Also, via 
a translation function that adjusts appropriately the indices of the bodies of 
fields it may be proved that the ^cs-calculus can simulate the ^^^-calculus. For 
details the reader is referred to [6]. 



5 Fields and Explicit Substitutions 

The ^-calculus with explicit substitutions and de Bruijn indices which we shall 
hereafter refer to as the ^osBS-calculus is presented in this section. This cal- 
culus introduces two forms of substitution into the object language: ordinary 
substitution and invoke substitution. Also, the need for using explicit fields is 
explained. 



5.1 The ^cBES-Calculus 

The set of terms of the ^osBS-calculus, denoted consists of terms of sort 

Term and terms of sort Subst. These are defined by the following grammar (sort 
Term to the left and sort Subst to the right) 

a ::= p \ a.l \ a <i (m) | [mf^ | a[s] 

rn ::= I = g \ I := a s ::= af \ @l |f|' (s) jf 

g ::= g{a) \ g[s] 

where p is a natural number greater than zero. 

Unless otherwise stated when we say that “a is a term in we mean 

“a is a term in TfosEs cf Term”. A closure is a term of the form a[s]. A 
term that does not contain occurrences of closures as subterms is called a pure 
term. A term a[s] may be regarded as the term a with pending substitution 
s. The substitution operator .[.] is part of the calculus (at the object-level). A 
substitution s with an occurrence of af is called an ordinary substitution whereas 
a substitution s with an occurrence of @l is called an invoke substitution. More 
on invoke substitutions shall be said in Section 7. Note that if we erase the 
grammar rules generating closures then we obtain the set . 
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The substitution grammar (and substitution subcalculus) for ordinary sub- 
stitution is based on the calculus of explicit substitution for the lambda calculus, 

A„ [20], 

We shall frequently use the notation fl* (s) and a[s]* defined inductively as: 
tr° (s) =def S a[s]° =def a 

(s) =def tr (tr* («)) =def aWis] 

The semantics of the ^DB£;s-calculus is defined by the following rewrite rules: 





-^MI 






-^FI 


a 


[md e =g) 


-^MO 


h=9Mn'i jel..n 


[m/ e i”"] < (I- := a) 


-^FO 


:=a, j e V.n 


(?(c))W 


~^SM 


?(c[tr (s)]) 


[m/e i-"][s] 


— tso 


[mi[s] 


{l:=a)[s] 


~^SF 


I := a[s] 




~^SB 


I = g[s] 


a./[s] - 


~^SI 


a[s]./ 


a < (to)[s] - 


~^su 


a[s] < (w[s]) 


l[a/] 


-^FVar 


a 


p+l[a/] 


-^RVar 


P 


i[@;] 


^Flnv 


U 


p + 1[@/] - 


-^RFav 


p+l 


i[fr (s)] 


-^FVarLift 


1 


p+f[tr(s)] 


~^RVarLift 


P[s][t] 


pit] 


^ VarShift 


p+l 


a[r (@y][r 


~^CO 


a[fr* (6/)] 


a[fr* (@0i[lt* (s)] 


-^SW 


a[fl* (s)][fl* (@0] k > i 



The rule Ml activates a method invocation. The rule FI activates a field in- 
vocation. The rules MO, FO activate method override and field override respec- 
tively. Rules SM ,SO ,SF , SB , SI , SU allow the propagation of the substitution 
operator through method body, object, field, method, invocation and override 
constructors. Rules FVar, RVar, Finv , Rlnv, FVarLift, RVarLift, VarShift allow 
the computation of substitutions on indices. Finally, the rule CO expresses a 
form of interaction of substitutions, and SW expresses a (weak) form of commu- 
tation or switching of substitutions. These two rules will be used in simulating 
A„ in the ^DB£;s-calculus. 

R is interesting to compare rules RVar and Rlnv. The creation of a substitu- 
tion of the form 6/ is accompanied by the elimination of a binder (see rule MI). 
Hence all “free” indices should be decremented in one unit. Whereas in the case 
of the invoke substitution operator no such adjustment is made. 

The ^oBBS-calculus without the rules Ml , MO, FI and FO is referred to as 
the ESDB rewriting system. Note that ESDB is not locally confluent since for 
example the term := b]/] reduces to two different terms by the rules 
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Flnv and GO respectively, and requires FI to close the diagram. The ESDB 
rewriting system is responsible for performing or discarding the substitution 
operators and additionally allows for some interaction between ordinary and 
invoke substitution operators. The rewriting system obtained by eliminating 
the rules for substitution interaction (rules CO and SW) is called the BES 
(Basic Explicit Substitution) rewriting system. This system suffices for executing 
substitutions; the interaction rules shall be needed when simulating A„. 

5.2 The Need for Explicit Fields 

In Section 4 we saw that although the ^^^-calculus incorporated fields as pri- 
mitive constructs this is not strictly necessary as fields may be simulated in the 
^r;i^-calculus in a rather natural way. This situation no longer holds when explicit 
substitutions are introduced and when we attempt to translate the A„-calculus 
into the ^Jg^jg-calculus using the translation in [1] (recalled in Section 2) for the 
A-calculus. 

Let us ignore fields as a primitive construct in the language for the moment 
and return to our simulation of fields as discussed in Section 4. A field b is 
represented as the method I = ?(h^). The ^DB£;s-calculus is then reduced to the, 
say, where rules FI, FO, SF and CO have been eliminated. 

Now when we attempt to translate the A„-calculus into the ^p^^jg-calculus 
in the style of -<-< . >->- we arrive naturally to the translation function k: 

k{a/) =def k{a)/ k{p) =def P 

(s)) =def ^ {k{s)) Mt) =def t 

^(«W) =def fc(a)[A;(s)] 

k[ab) =def {k{a) < {arg = g[k{b)^))).val 
k{Xa) =def [arg = (^{l.arg),val = <;{k{a)[@arg])] 

But the meaning of k[b)^ is no longer clear since k[b) may have occurrences 
of the explicit substitution operator (it is no longer a pure term). To remedy this 
situation the next logical step would be to introduce an “explicit substitution 
version” of the .+ operator which in fact we already have: the f (shift) operator. 
Indeed, it is with the aid of the shift operator that updating is implemented 
explicitly (cf. Section 7 in [6]). The final clause of the definition of k is now 
replaced by k[ab) =def {k{a) < {arg = g {k{b) [[]))) .val 

So now we proceed to verify that the translation is correct (preserves A„- 
reduction). Consider for example the A„-reduction rule (Aa)fe — >Beta(i[b/] (cf. 
Section 6). Then we must have k{{Xa)b) k{a[b/]). We can go as far as: 

k{{Xa)b) =def 

{[arg = <;{l.arg) ,val = g{k{a)[@arg])] < {arg = g{k{b)[\]))) .val — >mo 
[ arg = g{k{b)[\]),val = (;{k{a)[@arg])].val — >mi 

k{a)[@arg][[arg = ?(fc(fe)[t]),tia; = <;{k{a)[@arg])]/] 

Thus in order to arrive at k{a)[k{b) /] we are in need of adding to the 
^pg£;g-calculus a commutation rule of the form: a[f|'* (@^j)]['fl* {[Ij = s(^[t 
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]), — >como\'^^ (^/)] (taking i = 0 suffices for our example). But 

adding a rule like COM clearly introduces confluence problems. 

A variant could be the rule a[f|'’' {[Ij = ?(^), — >coM' 

a[t|'* (c/)] where b =bes c[t]- The major drawbacks are then the fact that the 
rule is conditional and (computationally) expensive checking on the equational 
substitution theory is required (this resembles problems studied when dealing 
with ? 7 -contraction in explicit substitution calculi ([7], [25], [16])). 

These problems stem from the fact that the formulation of rules which are 
subject to restrictions on the free variables in a de Bruijn index setting and in 
the presence of explicit substitutions is non trivial. Here, we have solved these 
issues by a minor change in the syntax so as to represent fields as primitive 
operators. In fact, the rewrite rule CO of the named ^£;s-calculus presented in 
[17] is conditional, whereas the CO rule presented in this work, in a de Bruijn 
index setting, is actually simpler since no condition is present. 

6 Encoding A^-Terms in the ^DBES-CaAcuius 

In this section we will show how to simulate the explicit substitution calculus 
for the lambda calculus A„[20] in the ^DB£;s-calculus. We start by augmenting 
the grammar productions for the terms of the ^osBS-calculus in order to allow 
abstractions and applications as legal terms. We then define a translation from 
terms in the A„-calculus into this augmented set of terms which preserves re- 
duction. We recall the main definitions of the A„-calculus. Terms are defined by 
the following grammars t ::= p \ tt \ Xt \ t[s] and s ::=t j t/ [ f|' (s). We recall the 
rules below. 



(Aa)fe - 


— >Beta O-lb/] 


p+l[a/] - 


-^RVar P 


(a b)[s] - 


— tapp a[s]fe[s] 


l[tr (s)j 


-^FVarLift i 


Aa[s] 


— tafcs A(a[fl (s)]) 


p+ i[fr (s)j - 


-^RVarLift £[s] [t] 


l[a/] - 


— >EVar a 


Pit] 


— t VarSUft P + 1 



The mixed set of terms, which we shall call T\<,dbes consists of the terms of 
sort Term and terms of sort Subst (which remain unaltered). The terms of sort 
Term are defined by the following grammar: 

a ::= p \ a.l \ a <\ (m) \ [md^ ^"”] [ a[s] j Aa [ (a a) 
rn ::= I = g\l ■= a 
g ::= ?(a) j g[s] 

where p is any natural number greater than zero. 

The rewrite rules of the A^DB£;s-calculus consists of the rewrite rules of the 
-calculus together with the rules Beta, abs and app of the A„-calculus 
(note that the remaining rules of A„ already belong to the ^osss-calculus). The 
resulting system may be proved confluent using the interpretation technique [12] 
and the fact that the corresponding system with meta-level substitutions is an 
orthogonal rewrite system. 

The encoding of A„-terms into A^DB£;s-terms makes use of the invoke explicit 
substitution operator and fields. 
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Definition 5 (Translation of A^osBS-terms into terms in TIobes)- The 
translation -< , >- from Xi^oBES-lsrms into terms in T<;bbes defined as 



y py 


— def P 


Y ?(a) Y 


def ^(Y a y 'j 


y a.l y 


~def y a y .1 


y af y 


—def y a y f 


-< a <| (m) >- 


=def y ay <(-< m y) 


Yfr (s) Y 


def lT (y S y) 


-< [rnf ^ 1-"] 


y =def H mi i--"] 


YtY 


= def t 


yl = gy 


X 

Y 

II 

II 


y @l y 


= def 


1 (1 ]>- 


— def 1 '- — y 0 - y 


y Xa Y 


= def C 


-< a[s] >- 


= def Y a >- [Y s >-] 


y aby 


= def Y a Y • Y 



where c is [arg = fil.arg) ,val = <,[-< a >- [©argr])] and p • g =def {p <1 {0’'r'9 '■= 
g)).val 

The translation interprets the lambda expressions abstraction and applica- 
tion into objects leaving the rest of the constructions without modifications. The 
translation of an abstraction introduces the invoke substitution. Note that the 
index level 1 (to which the invoke substitution applies) is bound. This reveals 
a difference as regards the behaviour of ordinary and invoke substitutions, as 
discussed above. Ordinary substitution is of no use since its index adjusting 
mechanism does not exhibit the desired behaviour. 

The principal motivation behind the introduction of the rules describing the 
interaction of ordinary substitution and invoke substitution lies in the following 
proposition. 

Proposition 1 {<,bbes simulates A„). If a — >xvh then -< a > — ^^obes~^ ^ N. 

Proof. The proof is done by structural induction on the A„-term. The key cases 
are -< (Aa)fe > — ^<;bbes~^ N (Case 1) and -< Aa[s] > — ^<;bbes~^ (s)]) >“ 

(Case 2). 

Case 1. 

-< {Xa)b y =def 

{[arg = fil.arg) ,val = ^(-< a >- [Ciargr])] < {arg :=-< b >-)).val — >mo 
[ arg :=-< b >-,val = ^(-< a >- [@arg])].val 

ay [@arg][[arg :=-< b y,val = fiy a y [©argr])]/] 
y a y [y b y f] 
y a[b/] y 

Case 2. 

-< (Aa)[s] >- 

[arg = <,{l.arg),val = fiy a >- [@ar( 7 ])][-< s >-] 

[arg = (?(l.argr))[-< s y],val = (<;(y a y [@argr]))[-< s >-]] 

[arg = i,{l.arg[fi {y s y)]),val = i,{y ay [@ar 5 f][fr (-< s >-)])] ^bes 
[ arg = fil.arg),val = fiy a y [@ar 5 r][l( (-< s >-)])] — >sw 

[arg = <;{l.arg) ,val = ?(-< a >- [ff (-< s >-)] [(darfif])] =de/ 

N A(a[fr (s)]) >- 

We may therefore conclude that A„-derivations may be translated into <,dbes~ 
reductions sequences, thereby implementing objects and functions at the same 
time. 



— ^M1 
— >CO 
-def 



-def 
— >SO 
-^BES 
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7 Confluence and PSN of the ^^j^^s-Calculus 

When dealing with calculi of explicit substitutions some basic properties have to 
be considered, namely, strong normalization of the substitution calculus [ESDB), 
confluence of the full calculus and preservation of strong normalization, that 
is, that every strongly normalizing term in ^^^-calculus must also be strongly 
normalizing in the ^DB£;s-calculus. The history of calculi of explicit substitution 
has revealed that this last property is by no means trivial. One of the first calculi 
of explicit substitution for the A-calculus, called A(j [2] introduced in 1991 was 
long believed to satisfy the aforementioned property. Surprisingly in 1995 Mellies 
provided a counterexample [22], exhibiting a (pure typable) term that is strongly 
/?-normalizing yet admits an infinite A(j-reduction sequence. Since we allow some 
interaction between substitutions this property is essential in our current setting. 

Strong normalization of the substitution calculus is obtained by the polyno- 
mial interpretation technique. As for the confluence of the -calculus we 

have the following result which is proved using the Interpretation Method [12]. 

Proposition 2. The <,dbes~ calculus is confluent. 

Proving preservation of strong normalization is more complicated. We shall 
obtain the desired result by using a technique introduced by Bloo and Geuvers 
in [4]. As remarked before this property is an essential ingredient in any expli- 
cit substitution implementation of a calculus, more so if there is some form of 
interaction between substitutions as is our case. 

Definition 6 (Strongly normalising pure terms of %obes)‘ ^ct de- 
note the set of all the strongly normalizing pure terms Then we 

may define iF as iF = [a %dbes I fee all b F a of sort Term, BES[b) € } • 

The notation fe C a is used to denote that fe is a subterm of a. Next we show 
that T is closed with respect to reduction in the ^osBS-calculus. 

Lemma 1. Let a,b e . If a e iF and a — >^bbes^ then b e iF. 

Proof. We show that for every e C fe we have BESfe) € • The proof is by 

induction on a. 



Definition 7 (Labelled terms). ITe define the set of terms Ti over the al- 
phabet A = {★, o, . < . >„, .|.]]„, ^(. ),[.],=, :=} and for n a natural 

number greater or equal to zero, by the following grammar: 

t ::= -k\ t.no I t < t >„| t[o]]„ I <\{t,u) I [mA^I""] 
u o = f \ o ■.= t 
f ::= g{t) | / < t >„ 
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Definition 8 (Translation from T to Tj). The translation <S(.) : T ^ Ti is 

defined as follows: 

^{p) ^def ^ 

"'■■”]) =def [S{m,y 

S {1 = g) =def S{ 1 ) = S{g) 

S {1 := a) =def S{ 1 ) := S{a) 

S(<^(a)) =def ?(« 5 (a)) 

S{a.l) =def S{a).nS{l) where n = maxred^^^[BES[a.l)) 

S{a<]{m)) =def <i{S{a),S{m)) 

< 5 (a[f|'* (6/)]) =def S{a) < S{b) >„ where n = maxred^*^ ( 5 _B 5 '(a[f|'* (&/)])) 

« 5 ( 4 r(t)]) =defS{a) 

<S(a[f|'* (@/)]) =def where n = rnaxred^>^[BES{a[f\'^ (@/)])) 

where S{ 1 ) = o. 

We define a precedence (partial ordering) on the set of operators of A as fol- 
lows: > . < . >„> -l-k > > <(',■) > ?(-)^=d=, 'J-’hen since 

is well-founded the induced Recursive Path Ordering (RPO) ‘>-77’ defined 
below is well-founded on 71 [10], 

Lemma 2 . Let a £ E. Then a — l/ja' implies S(a) >-77 S(a') where R = 
{MI, FI, MO, FO} and S{a) ^77 5 (a') tfR = ^dbes ~ {MI, FI, MO, FO). 

Proof. The proof is by structural induction on a using lemmas 1 and additional 
technical lemmata (see [6]). 

We may now prove the main proposition of this section, namely, the propo- 
sition of preservation of strong normalization for the ^osBS-calculus. 

Proposition 3 (PSN of the ^7)B£;s-calculus). The <,]jBES-calculus preserves 
strong normalization. 

Proof. Suppose that the BBS -calculus does not preserve strong normalization. 
Thus there is a pure term a which is strongly ^^^-normalizing but which pos- 
sesses an infinite reduction sequence in the -calculus. Since the rewriting 

system S = ESDB U {MO, FO, FI } is strongly normalizing [6] this reduction se- 
quence must have the form a = a,i —^s 0-2 — ~^s 0,4 — ■ ■ ■ where 
the reductions 02k — >MM2kpi for A; > 1 occur infinitely many times. Now since 
a is in E , and since by lemma 1 the set E is closed under reduction in Adb 
obtain an infinite sequence 

S{a) = S{ai) N77 S{a,2) >~Ti S{as) N77 5(04) >-77 S{as) . . . 

This contradicts the well-foundedness of the recusive path ordering >-'77. 

8 Conclusions and Future Work 

We have proposed a first order calculus based on de Bruijn indices and explicit 
substitutions for implementing objects and functions. The encoding of functions 
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as objects in the spirit of [1] has led us to consider fields as primitive constructs 
in the language. The resulting calculus has been shown to correctly simulate the 
object calculus (^) and the function calculus (A„), and also that it satisfies the 
properties of confluence and preservation of strong normalization. As in [17] two 
different forms of substitution are present in the calculus: ordinary substitution 
and invoke substitution. In the named variable calculus presented in [17], called 
<;eSi this distinction is based on constraints associated with types (in an invoke 
substitution the type of the method invocation x.l to be substituted for x differ) 
and the free variable property. In fact, since <,es is untyped the type constraint 
may be minimized. In contrast, and as already hinted in [17], in the ^cBBS-cal- 
culus this distinction is based on different index adjusting mecanisms, thus fully 
justifying the need for different substitution operators. 

Interaction between substitutions such as composition or permutation of sub- 
stitutions usually renders the property of preservation of strong normalization 
non trivial. Indeed since a weak form of interaction between both forms of substi- 
tutions is present in the -calculus the proof of the property of preservation 

of strong normalization has resulted a key issue. 

Finally, rules possessing conditions on free variables in a named variable 
setting generally pose problems when expressed in a de Bruijn indice setting 
as may be seen for example when dealing with ry-reduction ([7], [25], [16]). The 
use of fields as a primitive construct has allowed us to replace the conditional 
rules present in the <,es with non-conditional rules, thus simplifying the resulting 
calculus. 

As already discussed the -calculus is not an instance of the de Bruijn 

index based higher order rewriting formalism XRS^ [24]. XRSs provide a fixed 
substitution calculus (ct^) for computing ordinary substitutions. Thus an inte- 
resting approach is to generalize this framework to a formalism where various 
forms of substitution may be defined with possible interaction between them. 

Also, in view of the importance of the typing discipline the consideration of 
type systems for the ^DB£;s-calculus is required. 
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Abstract. Closed reductions in the A-calculus is a strategy for a calculus 
of explicit substitutions which overcomes many of the usual syntactical 
problems of substitution. This is achieved by only moving closed sub- 
stitutions through certain constructs, which gives a weak form of reduc- 
tion, but is rich enough to capture the usual strategies in the A-calculus 
(call-by-value, call-by-need, etc.) and is adequate for the evaluation of 
programs. An interesting point is that the calculus permits substitu- 
tions to move through abstractions, and reductions are allowed under 
abstractions, if certain conditions hold. The calculus naturally provides 
an efficient notion of reduction (with a high degree of sharing), which 
can easily be implemented. 



1 Introduction 

It is well known that substitution in the A-calculus is a meta-operation, defined 
outside of the syntax of the system. Equally, it is well known that the substitution 
process is a very delicate operation that may require the use of o-conversion, and 
it may cause terms, redexes and potential redexes to be duplicated or erased. 

In recent years a whole range of explicit substitution calculi have been pro- 
posed, starting from the Acr-calculus [1], with the general aim of making the 
substitution process exist at the same level as /?-reduction. In general, the main 
motivation for such calculi is to have a handle on the process of substitution, 
and to be able to control it in various ways. There are however two distinct 
applications for these calculi. First, from a term rewriting perspective, the goal 
is to capture /^-reduction as a first order term rewriting system. Here simulation 
of /3-reduction, preservation of termination and confluence seem to be the main 
issues. Secondly, from an implementation perspective, the goal is to explain in 
low level terms the process of /3-reduction which can provide a basis for abstract 
machines and implementations of functional programming languages. Although 
the second point is used as a motivating factor in most studies of explicit substi- 
tutions, we find that the first point has had the most attention. In this paper we 
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focus on the second aspect. In particular we are not directly interested in simulat- 
ing /?-reduction in full generality, but rather to use the substitution mechanism 
to provide a simple and efficient form of reduction. 

Our point of departure is a calculus of explicit substitutions with names, 
which simply adds the meta-level operation as a collection of conditional rewrite 
rules. We then proceed in a thorough-going fashion to systematically remove 
all the problematic and expensive rules of this system by giving a strategy for 
reduction. It turns out that this can be achieved by permitting certain reductions 
to take place only when a sub-term is closed (no free variables). In particular, 
this eliminates variable clash and capture problems, and removes the necessity 
of generating fresh variable names during reduction, which overcomes the main 
objection for explicit substitution calculi with names. 

Almost all evaluators for the A-calculus are based on reduction to weak head 
normal form, which is characterized by rejecting reduction under an abstraction. 
There are many ways to obtain such normal forms, the most common are call- 
by-need and call-by-value reduction. In the language of explicit substitutions, 
this weak form of reduction is often interpreted as not pushing substitutions 
through an abstraction [3]. This form of weak reduction has the convenience 
that the most awkward part of the substitution process is removed from the 
system (prohibiting substitution through an abstraction avoids name clashes and 
a-conversions). However this benefit is achieved at a price because terms with 
substitutions (closures) may be copied, which can cause redexes to be duplicated. 
In our calculus we address this problem by allowing closed substitutions to be 
made, and moreover we never copy a term (or closure) which contains a free 
variable. 

The A-calculus, in addition to substitution, lacks explicit information about 
sharing and evaluation orders. This point becomes more subtle when one con- 
siders it in the framework of explicit substitutions, since the order in which 
substitutions are performed can have dramatic consequences on the efficiency of 
the reduction process. To ensure that we have a tight control over the way sub- 
stitutions are performed, we also make explicit the copying and erasing phases 
of substitution, which are inspired by various calculi for linear logic. This will 
also allow us to control (and avoid) the issues of duplicating and erasing free 
variables in the substitution process. 

In summary, we present a calculus of explicit substitutions with explicit re- 
source management, where the emphasis is on obtaining answers in a simple 
and efficient way. The key aspect of the reduction strategy used is that of closed 
reduction, which provides a mechanism to allow easily: reduction under, and sub- 
stitution through, an abstraction; avoidance of duplication of free variables; and 
clean garbage collection. An implementation of closed reduction using interac- 
tion nets is presented in [8] together with benchmarks and empirical comparisons 
with some other implementations of the A-calculus. 

Related Work. Our work builds upon the use of explicit substitutions for control- 
ling substitutions in the A-calculus, with an emphasis on implementation, for in- 
stance the call-by-need A-calculus of Ariola et al. [2] and calculi with shared envi- 
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ronments of Yoshida [13]. Also oriented towards implementation are [5] and [12]. 
The notion of closed reduction for the A-caleulus was inspired by a strategy for 
cut-elimination in linear logic, used in a proof of soundness of the geometry of 
interaction by Girard [4]. 

Overview. In the following seetion we motivate our work by looking at the 
problematic issues in explicit substitution calculi. In Section 3 we present the 
closed reduction calculus, called Ac. In Section 4 we study several properties of 
the calculus. Section 5 gives a type system for the calculus and we show subject 
reduction and termination. The relation with /?-reduction and strategies in the 
A-calculus is given in Section 6. Section 7 gives an alternative presentation of 
our calculus inspired by director strings. We conclude the paper in Section 8. 



2 Motivation: Calculi and Strategies 

The first version of the calculus is obtained by simply making the meta-operation 
of substitution part of the syntax, and adding explicit conditional rules for the 
propagation of substitutions. These rules are inspired by the original definition 
of substitution given by Church. By analyzing these rules for substitution from 
a very syntactic perspective we will identify a series of refinements that will lead 
to the final calculus that we call A^. We shall use explicit substitution calculi 
with names throughout, but most of what we have to say can be formulated in 
terms of the de Bruijn notation. 

Definition 1 (A-calculus with names and explicit substitutions). Terms 
are built from the grammar: t ■.:= x \ Xx.t \ (tt) \ t[t/x] with x,y,z ranging 
over variables, and t, u, v ranging over terms. We have the following eonditional 
reduetion rules: 



Name 


Reduetion 


Condition 


Beta 


{Xx.t)u 


-w t[u/x] 




Varl 


x[u/x] 


-w V 




Var2 


y[v/x] 


y 


x^y 


App 


{tu)\v!x] 


-w {t[v ! x]){u[v ! x]) 




Laml 


{Xy.t)[v/y] 


-w (Aj/.t) 




Lam2 


{Xy.t)[vlx] 


-w Xy.t[v!x] 


X ^ fv(t) y y fv(u),x 7 ^ y 


LamS 


{Xy.t)[vlx\ 


-w Xz.(t[z/y])[v/x] 


X € fv(t), y € fv(u), X ^ y,z fresh 


Comp 


{t[ulx])[vly\ 


-w {t[vly])[v\vly\lx] 





Five rules cause the real computational work: Var2 and Laml discard the 
term v, App and Comp duplicate the term v, and LamS requires an additional 
substitution (renaming) to avoid variable capture and variable clash. We now 
look at ways of reducing these overheads. 

Our first improvement is to direct substitutions so that terms are only prop- 
agated to the places where they are actually required, avoiding making copies 
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that will later be discarded. For instance, the App rule can be replaced by the 
rules: 

{tu)[vlx\ (t[u/x])M X € fv(t),X ^ fv(M) 

{tu)[vlx] t{u[v!x]) X € fv(M),X ^ fv(t) 

{tu)[vlx] (tu) X ^ fv(tu) 

{tu)[vlx] {t[v ! x]){u[v ! x]) X € fv(M),X € fv(M) 

Factoring out the linear and the non-linear occurrences of the variables can 
be done at the syntactical level, which eliminates the last two rules. If x ^ fv(t), 
then we can make this explicit using the erase construct: Ex{t). The associated 
reduction rule must preserve this notation, by erasing the substitution, and cre- 
ating explicit erasing constructs for each of the free variables of the substitution: 

Ex{t)[v/x] -w Es{t) 

where x = fv(u), and the notation Eg{t) can be thought of as an abbrevia- 
tion of Exi{- ■ ■ Ex^{t) ■ ■ ■). Remark that if fv(u) = 0 then the rule is simply: 
Ex(t)[v/x] -w t. 

If X occurs twice in a term u, then renaming one occurrence to y and the 
other to 2 ; and using the Cy.’^{u) construct makes the copying explicit, as given 
by the following associated rule: 

CV{t)[vlx] -w CY'{{t[v[ylx]ly])[v[zlx]lz\) 

where x = fv(u), and renamings of the free variables of each copy of v are 
introduced to preserve the notation. Remark that if fv(u) = 0 then the rule 
is simply: C'^’^(t)[u/x] {t[v !y])\v J z\. Copying terms with free variables can 

cause the duplication of redexes that might be created later during reduction. 
An obvious solution to this would simply be to only copy dosed terms (i.e. 
without free variables), which avoids the renaming substitutions in the rule. 
Note that we no longer need the rules Var2 and Laml with these constructs. 

Similarly to the App rule, the Comp rule now splits into: 

it[ulx])[vly] f[u[u/j/]/x] y e fv(u) 

{t[ulx])[v/y] -w {t[vly])[u/x\ y G fv(t) 

The first rule is useful, since it allows the substitution process to move towards 
completion. However, the second rule is a clear candidate for non-termination 
and is not essential in the calculus. We drop it from the system, thus eliminating 
the usual termination problems of explicit substitution calculi, which we refer 
the reader to [9] for examples. 

There is an important issue with respect to the order of the application 
of the revised Comp rule. Consider the term: to[ti / xo][t 2 / xi] ■ ■ ■ with 

fv(ti) = {xi},i < n, and fv(t„) = 0. There is a choice between innermost and 
outermost application of this rule. Working innermost requires Y17=o * ~ A'n-+A 
applications of the rule, which is 0{nP), whereas the outermost sequence requires 
exactly n steps. A sufficient condition to get an outermost strategy is to require 
the substitution to be dosed in the Comp rule. 




224 



M. Fernandez and I. Mackie 



Our next refinement is motivated by pushing substitutions through an ab- 
straction efficiently. This operation is quite a complex task, as indicated by the 
LamS rule: variables must be renamed to avoid variable capture, and thus the 
operation requires an additional substitution. Avoiding substitution through an 
abstraction is one solution to this problem, but may also cause duplication of 
work later. To obtain more sharing, substitution (and reduction) under an ab- 
straction should be allowed. To overcome this clash of interests, one can remark 
that the rule Lam3 can be eliminated if the substitution v is closed. In this way 
there is no risk of variable clash or variable capture: (Ax.t)[u/j/] Ax.t[u/j/], if 

fv(u) = 0. Note that the Comp rule is essential to group substitutions together 
so that a single closed substitution can be pushed through an abstraction. Not 
only does this give the shortest reduction path, but at the same time eliminates 
the problems of variable capture and clash. 

Our last rule of study is the Beta rule. Consider the term {{Xy.t)u)[v/x], 
where x € fv(t), and fv(u) = 0. If we first perform the Beta rule we obtain 
{t[u ! y])\v ! x], however if we perform the Comp rule first we obtain {t[v J x])\u J y]. 
Since we have eliminated one of the cases for the Comp rule there is a potential 
confluence problem. We can avoid it by only allowing /^-reduction to take place 
when the function is closed: {Xx.t)u t[u/x], if fv(Ax.t) = 0. This resolves the 
above problem by cutting out the possibility of performing the Beta rule first. 
In other work on explicit substitutions it is interesting to note that it is the 
application of the Comp rule first that is ruled out, see for instance [10]. 

This completes our refinements, we can now clean up the rules that we have 
discussed up until now, obtaining what we call closed reduction. 

3 Closed Reduction 

Putting the previous ideas together suggests a strategy for implementing the 
A-calculus. The strategy is clearly a weak one since it will not always be the 
case that substitutions will be closed, but we show that it is adequate for the 
evaluation of programs (i.e. closed terms of base type). The following is the 
definition of the Ac-calculus which we use for the rest of this paper. 

Definition 2 (Ac-terms). The following table summarizes the terms, variable 
constraints and the free variables of the terms. 



Name 


Term 


Variable Constraint 


Free Variables 


Variable 

Abstraction 

Application 

Erase 

Copy 

Substitution 


X 

Xx.t 

{tu) 

Exit) 

cr{t) 

t [u Jx] 


X <E fv(t) 
fv(t) n fv(w) = 0 
X ^ fv(t) 

i fv(t),y 7^ z,{y,z} C fv(t) 

X e fv(t),fv(t) — {x} n fv(u) = 0 


{x} 

fv(t) - {x} 
fv(t) U fv(rt) 
fv(t) U {x} 

Ht) - 

fv(t) — {x} U fv(w) 



Definition 3 (Closed Reduction). Let t,u be Xc-terms, t u is ealled a 
closed reduction and given by the following conditional rewrite system (variables 
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of Xc-terms are treated as eonstants in the rewrite system, thus x ^ x' , ete.). 



Name 


Reduction 


Condition 


Beta 


{Xx.t)u 


t[w/x] 


fv(Ax.t) = 0 


Var 


x[v/x] 




- 


Appl 


{tu)\vlx] 


{t[v/x])u 


X G fv(t) 


App2 


{tu)\vlx] 


t{u[v/x\) 


X G fv(u) 


Lam 


\Xy.t)[v/x\ 


-^w Xy.t[v/x] 


fv(u) = 0 


Copyl 


CV{t)[vlx] 


{t[^^ly\)[vlz\ 


fv(u) = 0 


Copy 2 


Clf{t)[vlx\ 


Clf{t[vlx]) 


fv(u) = 0 


Erasel 


T’a;(t)[u/x] 


t 


fv(u) = 0 


Erase2 


E,r/{t)[v/x\ 


-^W Erj,fit[v/x]) 


- 


Comp 


{t[wly])[vlx 


t[w[v/x]/y] 


X G fv(w) 



As usual, we write as the transitive reflexive elosure of The subscript w 
is used to indicate that it is a weak calculus. These reduction steps can be applied 
in every context, in particular within substitutions and under abstractions. 

The conditions on the rules are motivated from both an efficiency point of 
view with respect to minimizing the number of /?-reduction and substitution 
steps, and from a simplification point of view for the substitution calculus. 

Remark 1. There are a number of variants of the reduction rules, which do not 
change the basic results of this paper. For instance, in a simply typed framework, 
the Copyl rule can reduce the substituted term v to normal form before copying, 
thus avoiding redex duplication. The Appl, App2 and Comp rules could also 
require v to be closed, giving a weaker but more directed strategy (with the 
shortest reduction paths). We shall make use of this variant in Section 7. 

Note that since we only do closed reductions, we do not need to represent 
substitutions by lists, as it is done in most calculi of explicit substitutions. In 
this way we avoid the introduction of constructors for lists and the operation of 
concatenation with associativity. 

Definition 4 (Compilation). Let t be a X-term with fv(t) = {xi,...,x„}. 
Then compilation into Ac is defined as: [xi] . . . with (-)° given by: x° = x, 

(tu)° = t°u°, and {Xx.t)° = Xx.[x]t° if x £ fv(t), otherwise {Xx.t)° = Xx.E^fC). 
We define [•]• as: 



xjx 

x](Xy.t) 


= X 

= Xy.[x]t 






x](tu) 




.+a:'})j3,//](y{a:^a:"})) x G fv(t). 


X G fv(w) 




. G. 

II 


X G fv(t). 


X ^ fv(w) 




= t{[x]u) 


X G fv(u). 


,x ^ fv(t) 


x]Ey (t) 


= Ey([x]t) 






x]cfy”{t) 


= oyy'’y''{[x]t) 







where the substitution is the usual (implicit) notion, and the variables x/ 

and x" above are assumed to be fresh. 
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Remark 2. Terms built from the compilation are pure terms (they do not contain 
substitutions). The compilation functions are simply counting variables, placing 
erasing operations outermost, and copying operations innermost. In particular, 
remark that the compilation only introduces an erasing construct immediately 
after an abstraction: Xx.Ex{t). If we are only interested in terms arising from 
the compilation, we can abbreviate this to A_.f, together with a new reduction 
rule BetaErase: {X_.t)u t, if fv(u) = 0 in place of the rules Erasel, Erase2. 

Proposition 1. If t is a X-term with free variables fv(f) = {xi, . . . , then: 

1. fv([xi] • • • [xn]t°) = fv(f). 

2. [xi] • • • [x„]f° is a valid Xc-term (satisfying the variable constraints). 

There are valid A^-terms which are not derived from the translation of A- 
terms, such as: Xy.{{xy)[Xx.x/x]). Here a Beta rule must have been applied 
when the function was not closed. In this paper we will always assume that 
we are dealing with Ac-terms derived from the translation and their reducts, 
and as shown below, reduction preserves the variable constraints. Some of the 
constraints of the rewriting system can be eliminated with these assumptions, 
but we keep them for clarity. We can recover a A-term from a Ac-term by simply 
erasing the additional constructs and completing the substitutions: 

Definition 5 (Read-back). 

{E^{t))* =t* 

{t[u/x])* = t*{*^“*} 



(tu)* = t*u* 

{Xx.ty = Xx.t* 



One can easily show that if fv(f) = {xi, . . . , x„}, then ([xi] • • • [x„]f°)* = t. 
Example 1. We give several example terms in this calculus: 



1 = (Ax.x)° 

K = {Xxy.x)° 

S = (Xxyz.xz(yz))° 

2 = (A/x./(/x))° 

Y = (A/.(Ax./(xx))(Ax./(xx)))‘^ 



= Ax.x 
= Xxy.Eyfx) 

= Xxyz.C) {{xz'){yz")) 

= Xfx.Cj (/'(/"x)) 

= Xf.Cj'’f"{Xx.f{Cf'’-^"{x'x"))) 

(Ax./"(0-''-"(x'x"))) 



and a reduction sequence to normal form: 

22 = (A/x.Op/"(/'(/"x)))2 

{Xx.Cj ’f"{f{rx)))[2/f] 

-w); Ax.2(2x) 

Xx.{Xx.Cj (/'(/"x)))[2x//] 

Xx.{Xx.Cj (/'(/"x)))[(Ax.aJ (/'(/"x)))[x//]//] 
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Remark that it is impossible to duplicate the variable x in the last line — we 
must wait for a closing substitution before continuing. If we apply this to a closed 
term, for instance I, then reduction can continue: 

221 -w; ((Ax.C|''/"(f(/"x)))[(Ax.C 7 |''/"(f(rx)))[x//]//])[I/x] 
(Ax.cf'/"(f(rx)))[(Ax.C'f'/"(/'(/"x)))[I//]//] 

-w; (Ax.cf’/"(f(/"x)))[(Ax.I(Ix))//] 

(Ax.cf’^"(f (/"x)))[I//] 

(Ax.I(Ix)) 

\x.x 

If one studies in detail this example, there are several strategies of evaluation 
possible. The best (shortest) route to take is always to push closed substitutions 
through an application, and reduce terms to normal form before copying. 

In the A-calculus, Y is a term which has a weak head normal form, but no 
head normal form. However, even though we reduce under abstractions there is 
no infinite sequence of reductions in Ac since the only redex (shown underlined) 
has a free variable f: 

A/.cf-^"( (Ax./(C:>"(xVQ))(Ax.r(C:--"(x^x"))) ) 

However, the term YI does generate a non-terminating sequence. 

Note that we never need any o-conversions during the reductions, although 
the same variable can appear several times in the term being reduced. 

4 Properties 

In this section we show some basic properties of the rewrite system which 
we use to reduce Ac-terms, i.e. ground terms with respect to the rewrite system. 

Proposition 2 (Correctness of 

1. Ift u then fv(t) = fv(u). 

2. If t is a Xc-term and t u, then u is a Xc-term (i.e. the relation 
preserves the variable eonstraints) . 

Proposition 3 (Local Conflnence). Ift u and t v then there is a 
term s such that u s and v s. 

Proof. There are live critical pairs to consider, since all the other potential super- 
positions are eliminated from the system because of the free variable constraints. 
In all the cases the critical pair converges. □ 

To prove the termination of the rules for substitution we define the distance 
\t\x from the root of the term t to the unique occurrence of the free variable x 
as: \x(j, = 1, \Xy.t(j, = 1 -h |tU, \tu(j; = 1 + |t|^ (if x € fv(t)), = 1 + \u(j; 

(if X G fv(u)), |R*(t)U = 1, \l^y{t)\x = 1 + \t\x, |C'^’^(f)U = 1 + + \Mz, 

\Glf{t)\x = 1 + \t\x, and \t[v/y]\y; = 1 + \v\y, (if x G fv(u)) otherwise \t[v/y]\y; = 
1 + \t\x (if X G fv(t)). 
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Proposition 4 (Termination of snbstitutions). There are no infinite re- 
duetion sequences starting from t[v/x] using only the rules for substitution. 

Proof. We define an interpretation that associates to each term a multiset with 
one element for each sub-term w[s/x] occurring in t, which is \w\x. Each appli- 
cation of a substitution rule decreases the interpretation of the term, since we 
always apply a substitution to a sub-term of t or erase it, and the distance is 
reduced. □ 

We now look at the problem of preservation of strong normalization (a cal- 
culus of explicit substitutions preserves strong normalization if the compilation 
of a strongly normalizable A-term is strongly normalizable). 

Our proof is inspired from that of A„ [7]. We first define a notion of minimal 
infinite derivation. Intuitively, a derivation is minimal if we always reduce the 
lowest possible redex to keep non termination. We denote by a sequence 
of reductions in Ac that does not use the Beta rule, and by ~^Beta,p a Beta 
reduction at position p. 

Definition 6 (Minimal derivation). An infinite Ac derivation 

^Beta,pi ^1 ^Beta,pi ■ ■ ■ 

is minimal if for any other infinite derivation 

^Beta^pi ^ B ' ’ ’ ^Beta^q ^ ^ B 

we have q pip for every fi . 

In other words, in any other infinite derivation, pj and q are disjoint or q is above 
Pi, which means that the Beta-redex we reduce is a lowest one. 

Lemma 1. 1. If u —Afi u' then u* = m'*. 

2. Ifu ^Beta u' is a Step in a minimal derivation starting from the translation 
of a X-term then u* u'*. 

Proof. 1. Straightforward inspection of the rules for substitution. 

2. The term u contains a Beta redex, and the minimality assumption for the 
derivation ensures that in the translation to u* this redex is not erased (but 
it can of course be copied). Hence u* u'* . □ 

Proposition 5 (Preservation of Strong Normalization). If t is the trans- 
lation of a strongly normalizable X-term then t is strongly normalizable. 

Proof. Assuming that there is an infinite reduction sequence starting from t = 
[xi] • • • [x„]s° in Ac, we will show that there is an infinite derivation for the 
strongly normalizable A-term s (contradiction). For this we consider an infinite 
minimal reduction sequence out of t. Since the rules for substitution are termi- 
nating, it contains an infinite number of applications of Beta. 

i ^ B ^Beta ^2 ^3 ^ Beta ^4 * * ’ 

Since t* = s, we obtain an infinite derivation for s, by Lemma 1 (contradiction): 

e f* -f* v+ -/-* -/-* v+ -/-* n 

b — V — ^2 ~ ^3 ^ ^4 
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5 A Type System for Ac 

There is also a typed version of the calculus, which is given by the following 
rules. We remark that many of the syntactical constraints are now captured by 
the type rules. 

r.x : A,y : B, A\- t : C 

^ w 

r,y ■. B,x ■. A, A\- t ■. C 





X ■. A\- X ■. A 



r,x : A \- t : B A\~ v ■. A 
r, h t[v/x] : B 



(SUB) 



r.x : A \- t : B 

(ABS) 

r h Xx.t -.A-rB 



r \~ t A — > B A u : A 

(APP) 

r,A\-tu:B 



rht:B r,x : A,y : A^t : B 

(WEAK) (CONT) 

r,x Ah B^{t) : B r,z:Ah :B 

Lemma 2 (Subject Reduction). If B \~ t : A and t u then F \~ u : A. 

We extend Ac (and the A-calculus) to include a generic constant -k : I, with 
the following axiom: h ★ : i, where the type I represents a generic base type. 
This extension gives us a very minimalistic functional programming language. 
There are no additional reduction rules for this constant, and the above subject 
reduction theorem can easily be seen to hold with the addition of this axiom. 
Obviously, fv(*) = 0. 

Lemma 3. Let t be a X-term and s its compilation in Xc. t is simply typable if 
and only if s is typable. 

We now look at the problem of termination of typable terms, keeping with 
the philosophy of only considering terms that are derived from A-terms. This is 
an assumption in all the following results. 

Since simply typable A-terms are strongly normalizable, as a direct conse- 
quence of Lemma 3 and Proposition 5 we obtain: 

Proposition 6 (Termination). If F \~ t : A in X^ then t is strongly normaliz- 
able. 

Proposition 7 (Confluence). If F \~ t : A, t u and t v then there is 
a term s such that u s and v s. 

Definition 7 (Programs). A program is a closed term of type I . 

We can show that in our calculus programs can be reduced to values which 
are pure terms. This can be understood as for all closed terms of type I, there 
are enough closed substitutions so that they can all complete. For that we need 
a lemma. 




230 



M. Fernandez and I. Mackie 



Lemma 4 (Completion of closed substitutions). Ifv is a closed term, then 
t[v/x] is not a normal form. 

Proof. The compilation function gives a term that satisfies the variable con- 
straints, and reduction preserves the constraints (Proposition 2). Therefore x 
occurs in t. If t is a variable, application, abstraction, erasing or copying, then 
we can apply one of the rules for substitution. If t = u[vj/y] then x occurs free 
in w (it cannot occur free in u since the Beta rule that created the substitution 
could not be applied with an open function), therefore we can apply the Comp 
rule. □ 

Theorem 1 (Adequacy). If t is a program, then t -k. 

Proof. By Subject Reduction, the type of the term is preserved under reduction. 
Assume for a contradiction that the program t is in normal form, and it is not 
k. Since t is closed, it cannot be a variable, an erasing construct or a copying 
construct. Since it is of type I, it cannot be an abstraction either. If f = m[u/x] 
then V is closed (since t is closed) , and therefore one of the rules for substitution 
would apply by Lemma 4. Hence t is an application. 

Let t = U 1 U 2 . . . n > 2, such that ui is not an application. Since t is closed, 
so are ui, . . . , Hence ui is not a variable, a copying or an erasing. Since t is 
a normal form, u\ cannot be an abstraction either (the Beta rule would apply) . 
Therefore ui is a term of the form s[s' fx] where s' is closed and x is the only free 
variable of s. But then Ui is not a normal form (Lemma 4), which contradicts 
our assumption. □ 

Note that this result also holds even if we take a weaker calculus with closed 
substitutions for the application and variable rules. The type system and the 
notion of a program can be regarded as a simplification of the usual notion from 
the language PCF [11], where we have just one constant, and no arithmetic 
functions or recursion. There are no difficulties in extending this calculus to the 
full language of PCF. 

6 Relation with /3-reduction 

In this section we compare closed reduction with several common evaluation 
strategies for the A-calculus. In most functional programming languages closed 
terms are reduced to weak head normal form (WHNF). There are three main 
strategies of reduction to WHNF : Call-by-name — leftmost outermost (normal 
order); Call- by- value — leftmost innermost (applicative order); and Call- by- need 
— call-by-name -f sharing. 

We will show that we can simulate the three strategies in Ac. Let t be a 
closed A-term and u its WHNF obtained using one of these strategies. We will 
show that t° u° , by induction on the length of the derivation t u. If t is 
already a WHNF the result is trivial. We assume there is a non-empty reduction 
to WHNF. The following lemma will be useful to establish the connection with 
/9-reduction in the A-calculus. 
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Lemma 5. Let F and Q be X-terms such that fv(_F) = {xi, . . . ,x„}, n> 1, and 
fv(Q) = 0, then ([xi] . . . [xn]F°)[Q° /xi] [X 2 ] . . . 

Proof. By Proposition 1 (Part 1), fv(Q°) = 0, and x\ e fv([xi] . . . [x„]P°). The 
result is obtained by induction on P. We show just one case when P = Xy.t, 
y G fv(t). Assume w.l.o.g. that x is the only free variable of P. 

{[x\{\y.t)°)[Q° fx] = {[x]{Xy.[y]t°))[Q° fx] 

= (Ay.[x][j/]t°)[Q7x] 

Xy.([x][y]t°)[Q° fx] 

[IH) 

= □ 

Call-hy-name Let t ^ uhe the first step in a call-by-name reduction to WHNF 
in the A-calculus. Then let t = {Xx.P)Q, with fv(Q) = 0 and u = , There 

are two cases to consider. If x G fv(P) then 

t° = iXx.P)°Q° = {Xx.[x]P°)Q° ([x]P°)[Q7x] -w; 

using Lemma 5. Otherwise 

P = {Xx.P)°Q° = {Xx.E^{P°))Q° (L'7P°))[Q7x] P° = {pP^Q})° 

Call-by-value Let t = {Xx.P)Q be a closed A-term and u its WHNF using call- 
by-value, then there is a sequence of reductions: 

(Ax.P)Q (Ax.P)P ^ ^ 

where F is a value (WHNF for closed terms). Using induction and Lemma 5: 

t° = (Ax.P)°Q° -w; {Xx.pyv° -w; u° 

Call-by-need Let f be a closed term and u its WHNF using call-by-need. To simu- 
late call-by-need it is enough to reduce a substitution to WHNF before applying 
it when it is needed (i.e. not in Ex{t)\ulx]). We can simulate the reductions 
in the call- by- need A-calculus of Ariola and Felleisen [2], by using the explicit 
substitutions construction instead of let, and using the erasing rule to erase 
the substitutions that are not needed. Consider the following example, which is 
taken from [2] and adapted to our notation: 

{Xf.Cf'’f'\f'l{r’l))){{Xzw.zw){ll)) -^^Cf'’f'\fl{r'l))[{Xzw.zw){ll)lf] 

-^^Gf''f'\fl{ri))[{Xw.zw)[lllz]lf] 

-^lG{^f\flU"l))[{Xw.lw)lf] 

cf^f"{fl{ri))[{Xw.w)lf] 

(Aw.u;)I((Au;.w)I) 
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Remark 3. Note that for reduction of closed terms to WHNF we do not need 
composition of substitutions (all arguments will be closed), however, having this 
rule in the system allows additional reductions under abstractions. Although 
we can reduce open terms (e.g. {Xx.x)y y), we cannot in general simulate 
reduction to WHNF on open terms, for instance: {Xx.xy){Xx.x) is not a 
WHNF. We cannot in general simulate reduction to head normal form (HNF), 
even for closed terms, for example: Xx.{Xy .Ey{x))t However the calculus is 
stronger than reduction to WHNF, since we can reduce under abstractions: 

Xx.{Xy.y)x Xx.y[x/y] Xx.x 

To obtain HNF in general, we can define a different version of the calculus, 
which requires that the substitution is closed when pushed into an argument 
of a function, rather than the abstraction, thus a dual version of this calculus 
which we leave for future study. 



7 Alternative Presentation: Director Strings 

In this section it will be shown how to present the calculus by using the concept 
of directors strings [6], which can be seen as a way to internalize some of the 
conditions on the rewriting system. The calculus that we are left with is a gener- 
alization of the director strings system of [6] (which corresponds to combinator 
reduction) where we allow reduction under an abstraction. 

To make the presentation more concise, we adopt the version of the calculus 
where the rules Appl, App2 and Comp also require that the substitution is 
closed. We shall also adopt the alternative syntax of A_.f rather than Xx.E^{t) 
for this section, which is equivalent, but more compact, as discussed in Section 3. 

The elements r\, -n,, called directors, will be used to annotate binary 

constructors to indicate that a substitution [t/x] is not required, used in both, 
or just the left or right argument respectively. Unary constructors will have the 
annotation f, which just means that the substitution is required in the sub-term, 
e will denote the empty string, which annotates closed terms. We will often drop 
the outermost e string, except if it is needed to express a rule. 

Working with annotated terms, we no longer need the erasing and copying 
constructs, since they are captured by the directors. Moreover, variables will 
always be labeled as x^, and therefore the name of the variable is not important, 
since only the correct substitution will reach a variable. Thus we will abbreviate 
x^ as f. Now substitutions and abstraction will no longer need to hold the name 
of the variable, so we will write Xx.t as At, A_.t as X~ t and \t/x] simply as [t]. 

In the following we use the notation |s| for the length of the string s, and 
if d is a director, then d” is a string of d’s of length n. Let t be a A-term with 
fv(t) = {x\, . . . ,x„}, its compilation is now defined as: [xi] . . . [x„]t° with (-)° 
given by: x° = x, (tu)° = t°u° , and {Xx.t)° = X[x]t° if x € fv(t), otherwise 
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{Xx.t)° = A t° . We define [•]• as: 

[x]x = 4- 
[x](At)® = (A[x]t)^® 

[x]{tuy = ([x]t)([x]u)‘^® X e fv(t),x e fv(u) 

= (([x]t)M)'^® X e fv(t),x ^ fv(u) 

= (t([x]u))®^® X G fv(u),x ^ fv(t) 

For example, S = {Xxyz.{xz){yz))° = A(A(A((4,4,)'^®'(4,i)'^®')'^®'‘^)^^)^ K = 
[Xxy.x)° = (A(A“ 4.)^), I = (Ax.x)° = (A 4,). 

The reduction rules for this calculus are now given as follows: 



Name 


Reduction 


Beta 

BetaErase 

Var 

Appl 

App2 

AppS 

Lam 

Comp 


{{xtyuY (fM)® 

(f [u®i])® u®i 

((t®2M)'^®i[u®])® ((f®"[u®])'^''’"'M)®i 

((tM®2)®'®i[u®])® (t(M®"[u®])'^''’"')®i 

((At)J-®i[u®])® (A(t[u®])'-'”^')®1 



We complete this excursion with a simple example reduction sequence to show 
that we can reduce under abstractions. 

{Xx.{Xy.y)x)° = (A((A Xf A(4. A f= (Ax.x)° 

The idea is that the director strings describe a path from the root of the term 
to the occurrence of a variable. Our calculus allows reductions in the term such 
that the path is preserved under these reductions, which makes it a more general 
reduction system than director strings. It remains to be seen if these ideas can 
in fact be extended to the whole of the A-calculus, thus generalizing further than 
closed reductions. 



8 Conclusions 

In this paper we have proposed a strategy for reduction in the A-calculus with 
explicit substitutions. The essential principle is that the reduction process should 
be simple, and capture the shortest reduction paths. 

An implementation of a slight variant of this calculus exists as a system of 
interaction nets [8] , and surprisingly is more efficient in terms of reduction steps 
than interaction net implementations of optimal reduction. However, it remains 
to compare in more detail the relationship between optimal reduction and closed 
reduction. 
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Abstract. The AA-calculus is a dependent type theory with both linear and intui- 
tionistic dependent function spaces. It can be seen to arise in two ways. Firstly, in 
logical frameworks, where it is the language of the RLE logical framework and 
can uniformly represent linear and other relevant logics. Secondly, it is a presen- 
tation of the proof-objects of BI, the logic of bunched implications. BI is a logic 
which directly combines linear and intuitionistic implication and, in its predicate 
version, has both linear and intuitionistic quantifiers. The AA-calculus is the de- 
pendent type theory which generalizes both implications and quantifiers. In this 
paper, we describe the categorical semantics of the AA-calculus. This is given 
by Kripke resource models, which are monoid-indexed sets of functorial Kripke 
models, the monoid giving an account of resource consumption. We describe a 
class of concrete, set-theoretic models. The models are given by the category of 
families of sets, parametrized over a small monoidal category, in which the in- 
tuitionistic dependent function space is described in the established way, but the 
linear dependent function space is described using Day’s tensor product. 



1 Introduction 

A long-standing problem has been to combine type-dependency and linearity. In [13], 
we introduced the Avl-calculus, a first-order dependent type theory with a full linear 
dependent function space, as well as the usual intuitionistic dependent function space. 
The Avl-calculus can be seen to arise in two ways. Firstly, in logical frameworks [9,18], 
in which it provides a language that is a suitable basis for a framework capable of pro- 
perly representing linear and other relevant logics. Secondly, from the logic of bunched 
implications, BI [15,19], in which the antecedents of sequents are structured not as lists 
but as bunches, which have two combining operations, which admits Weakening and 
Contraction, and which does not. The Avl-calculus stands in propositions-as-types 
correspondence with a fragment of BI [13,12]. 

The purpose of this paper is to present the categorical semantics of the Avl-ealculus. 
This is given by Kripke resource models, which are monoid-indexed sets of functorial 
Kripke models. The indexing element can be seen as the resouree able to realize the 
structure it indexes. We work with indexed eategories rather than, for example, with 
CartmelTs contextual categories [4], as the indexed approach allows a better separation 
of the evident conceptual issues. 
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Kripke resource models generalize, as we might expect, the functorial Kripke models 
of the Ail-calculus [18]. These consist of a functor J7:[W, [C°^,Cat]], where W is a 
Kripke world structure, C is a category with a ( X , 1) cartesian monoidal structure on it 
and [C°P , Cat] is a strict indexed category. The intuitionistic dependent function space iT 
is modelled as right adjoint to the weakening functor jf :J[W)[D) — ^ J[W)[D X A). 

In the Avl-calculus, we have two kinds of context extension operators, so we require 
C to have two kinds of monoidal structure on it, (®,i) and (x,l). The intuitionistic 
dependent function space U can he modelled, as usual, using the right adjoint to pro- 
jection. However, there is no similar projection functor corresponding to A. For this, 
we must require the existence of the natural isomorphism Homj ^ — 

H omj^(w){D){^ T Ax:A .B), where D ® A is defined in the r + r'-indexed model. This 
is sufficient to define the function space. 

While the AA-calculus has familiar soundness and, via a term model, completeness 
theorems, it is important to ask if there is a natural class of models. For the AiT-calculus, 
for instance, the most intuitive concrete model is that of families of sets, Fam. This 
can he viewed as an indexed category Fam:[C'te°f,Cat]. The base, Ctx, is a small 
set-theoretic category whose objects are sets and morphisms are set-theoretic functions. 
For each D € o6j(Fam), Fam(D) = {y € B[x) \ x € D}. The fibre is just a discrete 
category whose objects are the elements of B[x). If / € Fam(C', D), then Fam(/) 
just re-indexes the set over D to one over G. As there is little structure required in 
the fibre, the description of families of sets can also be given sheaf-theoretically, as 
Fam:[C'te°P,Set], each Fam(fJ) being considered as a discrete category. Using Day’s 
construction [7], we obtain a corresponding class of set-theoretic models, parametrized 
on a small monoidal category, for the AA-calculus. That is, we describe a families of 
sets model in BIFam:[C, [C'fx°f,Set]], where C is some small monoidal category. 

2 The A/l-Calculus 

A detailed account of the AA-calculus and the RLF logical framework is given in [13]. 
The work there develops ideas originally presented in [17]. 

The AA-calculus is a first-order dependent type theory with both linear and intui- 
tionistic function types. The calculus is used for deriving typing judgements. There are 
three entities in the AA-calculus: objects, types and families of types, and kinds. Objects 
(denoted by M, N) are classified by types. Families of types (denoted by A, B) may 
be thought of as functions which map objects to types. Kinds (denoted by K) classify 
families. In particular, there is a kind Type which classifies the types. We will use U, 
V to denote any of the entities. The abstract syntax of the AA-calculus is given by the 
following grammar; 

K ::= Type j Ax:A.K \ AxlA.K 

A ::= a \ Ax:A.B \ AxlA.B \ Xx:A.B \ XxlA.B \ AM \ A&iB 

M ::=c\x\ Xx:A.M \ XxlA.M \ MN \ {M,N) \tto{M) \ 

We write xeA to range over both linear (x:A) and intuitionistic {x\A) variable decla- 
rations. The A and A bind the variable x. The object XxA .M is an inhabitant of the 
linear dependent function type AxA.B. The object XxA.M is an inhabitant of the 
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type Ax!A .B (which can also be written as U x:A .B). The notion of linear free- and 
bound-variables (LFV, LBV) and substitution may be defined accordingly. When x is 
not free in B we write A^ B for Axr.A ,B and A^ B for AxlA .B). 

We can define the notion of linear occurrence by extending the general idea of 
occurrence for the A-calculus [2] , although we note that other definitions may be possible. 

Definition 1. 1. x linearly occurs in x; 

2. If X linearly occurs in U or V (or both), then x linearly occurs in Xy£iJ .V, in 

Ay£lJ .V, and in UV, where xfy; 

3. If X linearly occurs in both U and V, then x linearly occurs in {U,V), U&zV and 
TTi{U). 

The definition of occurrence is extended to an inhabited type and kind by stating 
that X occurs in U:V if it occurs in ( 7 , in L, or in both. These notions are useful in the 
proof of the subject reduction property of the type theory. We remark, though, that these 
definitions are not “linear” in Girard’s sense [3,1]. However, they seem quite natural in 
the bunched setting. O’Heam and Pym give examples of BI terms — the Avl-calculus is 
in propositions-as-types correspondence with a non-trivial fragment of BI — in which 
linear variables appear more than once or not at all [15]. 

Example I. The linear variable x occurs in the terms cxiBx (assuming c : Ax:A .Bx), 
fx:d (assuming f:a -<> d) and Xy.Cx .y : Cx -o Cx (assuming G:A^ Type). 

We refer informally to the concept of a linearity constraint. Essentially this means 
that all linear variables declared in the context are used. Given this, the judgement 
x:A,y:cx hy; y:cx in which the linear x is consumed by the (type of) y declared after it 
and the y itself is consumed in the succedent, is a valid one. 

In the Avl-calculus, signatures are used to keep track of the types and kinds assigned 
to constants. Contexts are used to keep track of the types, both linear and intuitionistic, 
assigned to variables. The abstract syntax for signatures and contexts is given by the 
following grammar; 



V ::= 0 I B,a\K \ B,c!A E ::= {) \ E,x:A \ E,x\A 



The Avl-calculus is a formal system for deriving the following judgements: 



h 27 sig 27 is a valid signature 

\~S r context T is a valid context in 27 



r hy; K Kind is a valid kind in 27 and F 
r hy^' A:K A has a kind K in 27 and F 

F \~s M:A M has a type H in 27 and F 



The definition of the type theory depends crucially on several notions to do with the 
joining and maintenance of contexts; these are the notions of context joining, variable 
sharing and multiple occurrences. These notions are crucial in allowing the formation 
of sufficiently complex linear dependent types and we discuss some of the rules of the 
type theory which exhibit them. The rules for extending contexts are as follows: 

\-^ r context r \-^ AiType \-^ F context F \-^ AiType 

F, FI 



hi: r, x:A context 



hi: r, xlA context 
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The main point about these rules is that a context can be extended with either linear 
or intuitionistic variables. There is no zone or “stoup” separating the linear from the 
intuitionistic parts of the context. 

Some of the interesting type formation rules are given next. The C rule exports 
type constants from the signature. This can only be allowed in an entirely intuitionistic 
context. 



h^irsig aiKeiJ 

G 

\r a:K 

r,x:A\~x; i^:Type 

All 

r \~s Ax-.A.B : Type 



r \~z: A:Type A \~z: B:Jype 
AI2 



E A ^ i^iType 



S'\((lin(r}nlin(A)} 



r,x\A i^iType 

All 

r hi; AxlA.B : Type 



The All and AI2 rules form linear types. The second of these introduces the notion of 
context joining for binary multiplicative rules. The join must respect the ordering of the 
premiss contexts and the type of linear-intuitionistic variables. A method to join T and 
A to form E, denoted by [H; T; Z\], is defined in § 2. 1 below. (The second side-condition 
is explained in Example 2 below.) 

Some of the interesting object-level rules are given next. The two variable declaration 
rules, V ar and V ar\, declare linear and intuitionistic variables, respectively. These rules 
should not be seen as weakening in the context T as, by induction, the variables declared 
in r are “used” in the construction of the type A. In the rules for abstraction, XI and 
XU, the type of extension determines the type of function formed, just as in BI. 

r hz AiType F AiType F,x:A hs M\B 

Var Varl XI 

r,x:A hj] x:A F,x\A Fe x:A F Fe Xx-.A.M : Ax'.A.B 

F,xlA Fe M:B 

XII 

F Fe XxlA.M : AxlA.B 

Before we give the rules for object-level application, we would like to motivate the 
notions of variable sharing and multiple occurrences. Consider the following example 
of a non-derivation; 

Example 2. Let AiType, c!A -o Type € U and note that the argument type, cx, is a 
dependent one; the linear x is free in it: 



x\A hi: ccciType 



x\A,,z\cx hi; z'.cx x.A hi; ccciType 



x\A\~x: ^z\cx .z : Az\cx .cx x:A,y:cx \~^ y.cx 



x:A,x:A,y:cx \~^ (^X z:cx .z')y : cx 

The problem is that an excess of linear xs now appears in the combined context after the 
application step. This is due to the fact that an x each is needed for the well-formedness 
of each premiss type but only one x is needed for the well-formedness of the conclusion 
type. Our solution is to recognize the two xs as two distinct occurrences of the same 
variable, the one occurring in the argument type cx, and to allow a notion of sharing of 
this variable. One implication of this solution is that repeated declarations of the same 




Kripke Resource Models of a Dependendy-Typed, Bunched A-Calculus 



239 



variable are allowed in contexts; there are side-conditions on the context formation rules 
which reflect this (but, for reasons of simplicity, were omitted before). It is now necessary 
to formally define a binding strategy for multiple occurrences; this we do in § 2.2 below. 
The sharing aspect is implemented via the k function, defined in § 2.3. 

We can now give the rules for function application. The side-condition on these 
is as follows: first, join the premiss contexts; then, apply k to maintain the linearity 
constraint. It can be seen that these side-conditions are type-theoretically and, via the 
propositions-as-types correspondence, logically natural: 



rhsM:Ax:A.B Ahj;N:A 



E As MN : B[N/x] 
BAs M : AxlA.B !Zl 



[E';r;A] 

E = E'\^{r,A) 

N:A 



XIE 



E As MN : B[N/x] 



lE-,r-,iA] 



An essential difference between linear and intuitionistic function application is that, 
for the latter, the context for the argument JM :A is an entirely intuitionistic one (!Zi), 
which allows the function to use JM as many times as it likes. 

The definitional equality relation that we consider for the Avl-calculus is the /?- 
conversion of terms at all three levels. The definitional equality relation, =, between 
terms at each respective level is defined to be the symmetric and transitive closure of 
the parallel nested reduction relation. There is little difficulty (other than that for the 
Ai7-calculus [6,20]) in strengthening the definitional equality relation by the ry-rule. 



2.1 Context Joining 

The method of joining two contexts is a ternary relation [S’; F ; A] defined as follows: 



(JOIN) 

[(>;(>;(>] 



IS;B;A] lE;r;A] 

(JOIN-!) (JOIN-L) 

[S’, x\A] r, x\A] A, xlA] [S’, x:A] F, x:A] A] 

[exA] 

(JOIN-R) 

[S, x-.A\ B; A,x:A] 



2.2 Multiple Occurrences 

The type theory allows multiple occurrences of variables. For example, if c:A ^ A ^ B 
and x:A, then cxx is a valid term. The two occurrences of x can be seen as different 
“colourings” of x. For the purposes of binding, we must be able to pick out the first 
occurrence of x from the second. We define the left-most free occurrence of x in (7 and 
a corresponding binding strategy for it. 

The left-most linear occurrence of x in (7 is, basically, the first x, syntactically, in 
the body of U ; e.g., ifU = V M, then the left-most occurrence of x is defined as follows: 

lmx{@M) = lm.x{M) x, ©distinct (v i xeLFV(V) 

lmx{xJM) = {x} yimrjflML) otherwise 

where @ ranges over atoms (constants or variables). 

The left-most occurrence of x€7l in a context T is the first declaration of x€7l in 
T. Similarly, the right-most occurrence of x€7l in T is the last such declaration. The 
following binding strategy now formalizes the concept of linearity constraint: 
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Definition 2. Assume F,x:A,A \~j] U :V and that x:A is the right-most occurrence of 
X in the context. Then x binds: 

1. The first left-most occurrence of x in the types in A, if there is such a declaration; 

2. The unbound left-most linear occurrences of x in U :V. 

There is no linearity constraint for intuitionistic variables: the right-most occurrence of 
x!A in the context binds all the unbound xs used in the type of a declaration in A and 
all the occurrences of x'mU :V . 

The rules for deriving judgements are now read according to the strategy in place. 
For example, in the \I rule, the A(yl) binds the left-most occurrence of x in M {B). 
Similarly, in the (admissible) cut rule, the term N :A cuts with the left-most occurrence 
of x:A in the context A,x\A,Af . In the corresponding intuitionistic rules, the A!(yl!) 
binds all occurrences of x in M (i^) and N :A cuts all occurrences of x!A in the context 
A,xlA,A'. 

Example 3. Let c\A ^ A^ B £ B. Then we can construct a derivation of the judge- 
ment x:A,x:A\- ^ cxx:B in which the bindings are coloured with the numbers 1 and 2 
as follows: X 2 '.A,xi:A \~ 2 ; cxiX 2 '.B. 



2.3 Variable Sharing 

Sharing occurs when linear variables are needed for the well-formedness of the premiss 
types but not necessarily for the well-formedness of the conclusion type. This require- 
ment is regulated by a function k. We define k by considering the situation when either 
of the two contexts F or A are of the form . . . ,x:A or . . . ,x:A,y:Bx. The only case 
when the two declarations of x:2l are not identified with each other is when both F and 
A are of the form . . . ,x:A,y:Bx. 

The function k is defined for the binary, multiplicative rules as follows: For each 
x:A occurring in the premiss contexts F and A, construct from right to left as follows: 

i^{r, zl) = {} if lin.(^r') n = 0 

A.') = fx:A I either (■i) there is no y.B(x') to the right of x:A in F 
or (n) there is no y.B(x') to the right of x:A in A 
or both (i^ and (ii^y otherwise 

In the absence of sharing of variables, when the first clause only applies, we still 
obtain a useful linear dependent type theory, with a linear dependent function space but 
without the dependency of the abstracting A;s on the previously abstracted variables. 

Example 4. We can now correct Example 2. Suppose 2l!Type, c\A -o Type € B. Then 
we construct the following: 



x\A ccciType 



x\A.,z\cx \~x: z:cx x:A \~}j ccciType 



x:A \-j] \z\cx .z : A z\cx .cx x\A.,y.cx\- z y-cx 

1 

x:A,y:cx {X z:cx .z^y : cx 



The f denotes the following action. First, the premiss contexts are joined together to get 
x:A,x:A, y.cx. Then, k, removes the extra occurrence of x:A and so restores linearity. 
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The function k is not required, i.e., its use is vacuous, when certain restrictions of 
the Avl-calculus type theory are considered. For instance, if we restrict type-formation 
to he entirely intuitionistic so that type judgements are of the form W hy; Al:Type, then 
we get the {iT,^,&}-fragment of Cervesato and Pfenning’s type theory [5]. 

A summary of the major meta-theorems, proved in [13], pertaining to the type theory 
and its reduction properties, is given by the following (other properties include admis- 
sibilities of structural, unicities of types and subject reduction): 

Theorem 1. 1. All well-typed terms are Church-Rosser. 

2. If r \~E U :V, then U is strongly normalizing. 

3. All assertions of the XA-calculus are decidable. □ 

3 Kripke Resource Semantics 

The semantics of BI, a fragment of which corresponds to the internal logic of the Avl- 
calculus, can be understood, categorically, by a single category which carries two monoi- 
dal structures. It can also be understood, model-theoretically, by a unique combination 
of two familiar ideas: a Kripke-style possible worlds semantics and an Urquhart-style re- 
source semantics. We will use the internal logic and its semantics to motivate an indexed 
categorical semantics for the type theory: indeed, we require that our models provide a 
semantics for both the Avl-calculus as a presentation of its internal logic and as a theory 
of functions. 



3.1 Kripke Resource AA-Structure 

The key issue in the syntax concerns the co-existing linear and intuitionistic function 
spaces and quantifiers. This distinction can be explained by reference to a resource 
semantics. The notion of resource, such as time and space, is a primitive in informatics. 
Essential aspects of a resource include our ability to identify elements (including the 
null element) of the resource and their combinations. Thus we work with a resource 
monoid (i?, + ,0). We can also imagine a partial order C between resources, indicating 
when one resource is better than another, in that it may prove more propositions. 

A resource semantics elegantly explains the difference between the linear and intui- 
tionistic connectives in that the action, or computation, of the linear connectives can be 
seen to consume resources. We consider this for the internal logic judgement [X)A\~ f. 
Let JV[ = (Af,-,e,C) be a Kripke resource monoid. The forcing relation for the two 
implications can be defined as follows: 

1 . r \= (f> ^ f iff for all s € M , if r C s then s\=%l) 

2. r (f> ^ f iff for all s € M, if s |= then r • s |= V’ 

A similar pair of clauses defines the forcing relation for BI’s two quantifiers. Here 
D:M.°P — ^ Set is a domain of individuals and u € |AJr is an environment appropriate 
to the bunch of variables X at world r, where |AJ is the interpretation of the bunch of 
variables X in Set*^ ^ : 
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1. [X)u,r \=yx.(f> iff for all r C s and all d <E Ds, [X;x)[lX]\[r Q s)u,d),s \= (f) 

2. [X)u,r \=\fnewX-4’ iff for all s and all cf G fJs, (2f,x)[M, cf],r • s 1= (/> 

Here ) is cartesian pairing and ] is the pairing operation defined by Day’s 
tensor product construction in Set . The resource semantics can be seen to combine 
Kripke’s semantics for intuitionistic logic and Urquhart’s semantics for relevant logic 
[14,22]; see [15,19]. 

Suppose we have a category £ where the propositions will be interpreted. Then we 
will index £ in two ways for the purposes of interpreting the type theory. First, we index 
it by a Kripke world structure W. This is to let the functor category [W, £] have enough 
strength to model the -fragment of the internal logic and so correspond to Kripke- 

style models for intuitionistic logic. Second, we index by a resource monoid R. 

Thus, we obtain ii-indexed sets of Kripke functors {Jl.:lW,£] | r G ii}. We remark that 
the separation of worlds from resources considered in this structure emphasizes a sort 
of “phase shift’’ [8,1 1]. We reconsider this choice in § 4. 

We now consider how to model the propositions and so explicate the structure of £. 
The basic judgement of the internal logic is {X)A h 4>, that 4> is a proposition in the 
context A over the context X. One reading of this judgement, and perhaps the most 
natural, is to see X as an index for the propositional judgement A\~ 4>. This reading 
can be extended to the type theory, where, in the basic judgement T \~x: M:A, T can 
be seen as an index for M :A or that M:A depends on T for its meaning. Thus we are 
led to using the technology of indexed category theory. More specifically, in the case of 

the type theory, the judgement T \~j] M:A is modelled as the arrow 1 |2lJ| in the 

fibre over |TJ in the strict indexed category £:C°^ — ^ Cat. Alternative approaches to 
the semantics of (intuitionistic) dependent types are presented in, for example, Cartmell 
[4], Pitts [16]. These presentations lack the conceptual distinction provided by indexed 
categories. 

We need the base category C to account for the structural features of the type theory 
and its internal logic, hence the following definition: 

Definition 3. A doubly monoidal category is a category C equipped with two monoidal 
structures, (® , i ) and ( X , 1 ). C A called cartesian doubly monoidal if x is cartesian. We 
will use • to range over both products. 

There are a couple of comments we need to make about the monoidal structure on 
C. Firstly, there is no requirement that the bifunctors ® and x be symmetric, as the 
contexts that the objects are intended to model are (ordered) lists. Secondly, the use of 
the symbol x as one of the context extension operators suggests that x is a cartesian 
product. This is indeed the case when {fT). | r G R} is a model of the internal logic, where 
there are no dependencies within the variable context X, but not when \ r G R} is 
a model of the type theory, where there are dependencies within F. In the latter case, 
we have the property that for each object D extended by x, there is a first projection 
map PD,A'-i^ X A ^ D. There is no second projection map qD,A'-J-^ X A A in C, as 
A by itself may not correspond to a well-formed type. For modelling the judgement 
F,x<eA |-£ x:A, we do, however, require the existence of a map 1 |AJ in the fibre 
over |ri •lAl. 

A doubly monoidal category C with both exponentials or, alternatively, C equipped 
with two monoidal closed structures ( X , — 1 ) and I), is called a cartesian doubly 
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closed category (DCC) in O’Hearn and Pym [15,19]. Cartesian DCCs provide a class of 
models of BI in which both function spaces are modelled within C. We will work with 
the barer doubly monoidal category, requiring some extra structure on the fibres to model 
the function space. This can be seen as a natural extension to the semantics of bunches 
to account for dependency. It can be contrasted to the Barber-Plotkin model of DILL 
[1], which uses a pair of categories, a monoidal one and a cartesian one, together with 
a monoidal adjunction between them. But this forces too much of a separation between 
the linear and intuitionistic parts of a context to be of use to us. 

We now consider how the function spaces are modelled. In the intuitionistic case, the 
weakening functor p*jj ^ has a right adjoint U]j a which satisfies the Beck-Chevalley 
condition. In fact, this amounts to the existence of a natural isomorphism 

The absence of weakening for the linear context extension operator means that we 
can’t model A in the same way. But the structure displayed above suggests a way to 
proceed. It is sufficient to require the existence of a natural isomorphism 

Ad, A '■ = tlomj^(T,Y){D)['^TAxeA.B) 

in the indexed category. There are a couple of remarks that need to be made about 
the isomorphism. Firstly, it refers only to those hom-sets in the fibre whose source 
is 1. This restriction, which avoids the need to establish the well-foundedness of an 
arbitrary object over both D and D*A, suffices to model the judgement F \~e M :A as 

an arrow 1 ^ J |HJ| in the fibre over |LJ|: examples are provided by both the term and 
set-theoretic models that we will present later. The second remark we wish to make is 
that the extended context is defined in the r + r'-indexed structure. The reason for this 
can be seen by observing the form of the forcing clause for application in BI. Given 
these two remarks, the above isomorphism allows the formation of function spaces. 

Definition 4. Let [R,A,0) be a commutative monoid (of “resources” ). A Kripke re- 
source Avl-stmcture is an R-indexed set of functors [C°^’,Cat]] | r € R} where 

(W,<) is a poset, C°p = U weW^W’ where IT G W and each Cw is a small doubly 
monoidal category with 1 = 1, and Cat is the category of small categories and functors 
such that: 



1. Each has a terminal object, ^ jr{W){Dy preserved on the nose by each 

r = Jr{W)if)), where f:E ^De 

2. For each W <E W, D <E Cw arid object A e Jr{W)[D), there is a D • A e Cw- 

PD A 

For the cartesian extension, there are canonical first projections D x A A- D 



and canonical pullbacks pe,j*a\ [pd.a- The pullback indicates, for the 



cartesian case, how to interpret realizations as tuples. In particular, for each 1 — ^ 

Jr{W)[D), there exists a unique arrow D D x A. It does not cover the 

case for the monoidal extension. For that, we require there to exist a unique D[= 

D®I) '' ^ ^ D(i> A, the tuples being given by the bifunctoriality of ®. For both 

qD A 

extensions, there is a canonical second projection 1 A A in the fibre over D *A. 
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These maps are required to satisfy the strictness conditions that {Id y{A) = A 
and Id = ^D*Afor each A e Jr{W){D); g*{f*{A)) = {g;f)*{A) and {g* 

f * {A)); f *A = {g;f) •Afor each F ^ E and E A- D in Cw- Moreover, for each 
W and D, D = D ; 

3. For each D, A, there is a natural isomorphism Ad, a 

^D,A '■ — -Homj-^(l4A)(D)(l,2lxG^.-B) 

where the extended context is defined in the r + r' -indexed functor. This natural 

f 

isomorphism is required to satisfy the Beck-Chevalley condition: For each E ^ D 
in Cw and each B in Jr{W){D*A), f*{AD,AB) = AE,f *A{{f*idA)*B); 

4. Each category jyW){D) has cartesian products. 

Our approach is modular enough to also provide a categorical semantics for the 
intuitionistic fragment of the Avl-calculus, the AiT-calculus. Basically, we work with a 
single functor [P°^,Cat]], where Pis a category with only the cartesian structure 

( X , 1) on it. The definition of U as right adjoint to weakening can be recovered from 
the natural isomorphism. We see this in the following lemma, which is motivated by the 
propositions-as-types correspondence that we gave earlier: 

Lemma 1. The natural iso U (DxA) (Pd a{ 1),B) = Homj(^iY){D}{^i Md,a{B)) 

in the Kripke XU -structure J is just the Ad, a natural isomorphism in the D x A case 
in the Kripke resource XA-structure. □ 

For the proof, we provide a translation from a Kripke resource Avl-stmcture to a 
Kripke Ai7-structure which forgets the linear-intuitionistic distinction, translating both 
(X) and X in C to X in P. The translation has some similarity with Girard’s translation of 

^ — into ! o — [8]. Under the translation, the object Ax\A .B (in a particular JP) 

ends up as U x:A .B (in J). If we uncurry this, we get the corresponding translation, as 
Pd,a'-D X a ^ D always exists in C. 



3.2 Kripke Resource i7-Ayl-Models 

We will restrict our discussion of semantics to the M :Al-fragment. The treatment of the 
-fragment is undertaken analogously — in a sense, the -fragment has the same 
logical structure as the M :Al-fragment but needs some extra structure. To interpret the 
kind Type, for instance, we must require the existence of a chosen object which obeys 
some equations regarding substitution and quantification. A treatment of the intuitionistic 
case is in Streicher [21]. 

A Kripke resource model is a Kripke resource structure that has enough points to 
interpret not only the constants of S but also the AA-calculus terms defined over S and 
a given context E. Formally, a Kripke resource model is made up of five components: 
a Kripke resource structure that has 27-operations, an interpretation function, two C- 
functors, and a satisfaction relation. Except for the structure, the components are defined, 
due to inter-dependences, simultaneously by induction on raw syntax. 
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Ignoring these inter-dependencies for a moment, we explain the purpose of each 
component of the model. First, the Kripke resource structure provides the abstract domain 
where the type theory is interpreted in. The if-operations provide the points to interpret 
constants in the signature. Second, the interpretation |— J is a partial function, mapping 
raw (that is, not necessary well-formed) contexts F to objects of C, types over raw 
contexts Ap io objects in the category indexed by the interpretation of F, and terms 
over raw contexts Mp to arrows in the category indexed by the interpretation of F. 
Types and terms are interpreted up to /?? 7 -equivalence. Fourth, the C-functors maintain 
the well-formedness of contexts with regard to joining and sharing. The model also 
needs to be constrained so that multiple occurrences of variables in the context get the 
same interpretation. Fifth, satisfaction is a relation on worlds and sequents axiomatizing 
the desired properties of the model. In stronger logics, such as intuitionistic logic, the 
abstract definition of the model is sufficient to derive the properties of the satisfaction 
relation. In our case, the definition has to be given more directly. We give only part of 
the definition of the model below, the actual definition being long and complex. 

Definition 5. Let F be a XA-calculus signature. A Kripke resource F-\A model is 
a 5-tuple {{Jr'.\W \ r G ii}, |—J|, join, share, |=y;) defined by simultaneous 

induction on the raw structure of the syntax as follows (we omit most of the clauses for 
reasons of brevity): 

L {f7r:[W’, [C°^,Cat]] |r G R} is a Kripke resource XA-structure that has F-optrations. 
That is, for all W in W there is, corresponding to each constant in the signature, 
an operation or arrow in each fibre Jr{W)[D) that denotes the constant; 

2. An interpretation |— J from the raw syntax of the XA-calculus to components of 
the structure satisfies, at each W, at least the following clauses: 

(a) lFx:A^J^^^, c, / (b) lF,x\A^Z ^ Ml >< - 

(c) {cipjj^ ::: ; (d) {xp^x-.a}^^ — 9|r,a::A] J >' 

(e) lXx:A.Mpf^^ ~ 

(f) IMNslZ ^ (.ihrijjmlfmMpjJf)), where 

and = sharedH'I^^J, 

where, in (c), the arity of c is rn and A™ denotes rn applications of A. 

3. join and share are two C-functors that maintain context well-formedness; 

4. Satisfaction in the model is a relation over worlds and sequents such that at least 
the following holds: Jr,W \=p [M : Ax:A.B) [F] iff for all W < W and for 
all r' eR ifJs,W' {N:A) [Z\], then Jt,W' {MN:B[N/x]) where 

l-iX+s and lEjj' =share{lE'^j^^J, and analogously 

for the intuitionistic case. 

We require two conditions on the model: syntactic monotonicity (if X is defined, then 
so are sub-terms of X) and Kripke accessibility (the interpretation of X, if defined, is 
the same in all accessible worlds — there is no “ relativization ”). 



Given an appropriate notion of validity in the model, we obtain; 
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Theorem 2. Soundness and completeness: F \~j] M: A iffF\=i;M:A. □ 

We sketch the argument for completeness, first giving an algebraic presentation of 
the type theory. 

Definition 6. Let F be a signature. The base category C[F) of contexts and realizations 
is defined as follows: 



Objects: contexts F such that N proves hy; T context; 

Arrows: realizations F ^ isj proves T hi,' [MpAi) [Mj /xy ]*^p 

where A = xi€2li, . . . ,x„e2l„. 

- Identities are xi^Ai,. . . ^i^Ai,. . . ,XneAn. We will write 

the identity arrow on F as 1 r! 

- Composition is given by substitution. Iff = F ^ ^ g . 






O, then f;g = F 



{NilMj/yj]"...,Np[Mj/yjC^) 



o. 



C{F) is doubly monoidal because of the two ways of extending the context. 

Definition 7. We inductively define a strict indexed category £[F):C{F)°f — ^ Cat over 
the base category C{F) as follows: 



- For each F in C[F), the category £[F)[F) is defined as follows: 

- Objects: Types A such that N proves F\~^ 2l:Type; 

- Morphisms: A ^ B where the object M is such that F,x: A " y:B in C(F). 
Composition is given by substitution; 

- For each f:F Ain C{F), £[F)[f) is a functor f*:£[F)[A) £[F)[F) given 

by f *{A) A[f] and f *{M) M [/]. 



We remark that each C{F){F) is a category. Note that the identity arrow A A 
over F is given by the term Xx:A.x, corresponding to the definition of morphisms 
above. To see that this construction is correct, consider that the axiom sequent is form 
F,x:A \~x: x:A, with the side-condition that F \~x: hl:Type, thereby using the variables 
in F. 

Returning to the discussion about the completeness theorem, the syntactic category 
of contexts, C[F), is used to define other components of the term structure too. The 
indexing monoid (i^,-|-,0) consists of the objects of C[F) combined with the joining 
relation ; — ]. The empty context is the monoid unit. The world structure V{F) is 
C[F) restricted to only intuitionistic extension. 

We can then give an appropriate model existence lemma. The Kripke resource struc- 
ture Cat]] | Z\ € o6j(C(i7))}hasC(i:r = U 

T (^)ii (<9) {r) is the category consisting of those types and terms which can be defined 
over the sharing-sensitive join of A, 0 and F. The i7-operations of the model are given 
by the constants declared in the signature S. The functors join and share are defined 
by ; — ] and k, respectively. The interpretation function is the obvious one in which 
a term (type) is interpreted by the class of terms (types) definitionally equivalent to the 
term (type) in the appropriate component of the structure. The satisfaction relation is 
given by provability in the type theory. Details of the proof are in [12]. 
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4 A Class of Set-Theoretic Models 



We describe a class of set-theoretic Kripke resource models, in which the Kripke resource 
Avl-stmcture {Jr'.\W ,[C°' p ,C ni]] | r e _K}is given by BIFam:[C, Set]], where C 

is a small monoidal category and Cix is a small set-theoretic category of “contexts”. The 
model is a construction on the category of families of sets and exploits Day’s construction 
to define the linear dependent function space. 

We begin with the indexed category of families of sets, Fam : , Cat] . The base, 

Ctx, is a small set-theoretic category defined inductively as follows. The objects of 
Ctx, called “contexts”, are (i.e., their denotations are) sets and the arrows of Ctx, called 
“realizations”, are set-theoretic functions. For each D € obj[Ctx), Fam(D) = {y € 
B[x) I X € D}. The fibre can be described as a discrete category whose objects are 
the ys and whose arrows are the maps lj,:y — ^ y corresponding to the identity functions 

f 

id:{y} — ^ {y} on y considered as a singleton set. If E A- D is an arrow in Ctx, then 
Fam(/) = /*:Fam(D) — ^ Fam(it-’) re-indexes the set {y e B{x) \ x e D} over D to 
the set {f{z) € B[f[z)) \ z € E} over E. We are viewing Set within Cat; each object 
of Set is seen as an object, a discrete category, in Cat. Because of this, the category of 
families of sets can just be considered as a presheaf Fam:[C'fx°f,Set], rather than as an 
indexed category; we will adopt this view in the sequel. 

We can explicate the structure of Ctx by describing Fam as a contextual category 
[4]. The following definition is from Streicher [21]: 

Definition 8. The contextual category Fam, along with its denotation DEN :Fam — ^ Set 
and length, is described as follows: (1) 1 is the unique context of length 0 and DEN ( 1 ) = 
{ 0 }; (2) If D is a context of length n and Al:DEN(D) — ^ Set is a family of sets indexed 
by elements of DEN{D), then Dx Ais a context of length n + 1 and DEN(D x Al) = 
{(x,y) I x; e DEN(D), y e A{x:)'\. If D and E are objects of the contextual category 
Fam, then the morphisms between them are simply the functions between DEN(D) and 
DEN(E). 

The codomain of the denotation. Set, allows the definition of an extensional context 
extension x . But Set does not have enough structure to define an intensional context 
extension ®. In order to be able to define both x and ®, we denote Fam not in Set but 
in a presheaf Set , where C is a monoidal category. We emphasize that, in general, C 
can be any monoidal category and, therefore, we are actually going to describe a class of 
set- theoretic models. For simplicity, we take C°^ to he a partially ordered commutative 
monoid JV[ = (M, • , e, C) . The cartesian structure on the presheaf gives us the x context 
extension and a restriction of Day’s tensor product [7] gives us the ® context extension. 

We remark that the restriction of Day’s tensor product we consider is merely this: 
consider the set-theoretic characterization of Day’s tensor product as tuples (x,y,f) and, 
of all such tuples, consider only those where the y is an element of the family of sets 
in X. This is quite concrete, in the spirit of the Cartmell-Streicher models, and is not a 
general construction for a fibred Day product. 

Within the contextual setting, we then have the following definition: 

Definition 9. The contextual category BIFam, together with its denotation 
DEN:BIFam — ^ Set"^ and length, is described as follows: 
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1. 1 is a context of length 0 and DEN(1)(Z) = {0}; 

2. I is a context of length 0 and DEN(J)(— ) = 

3. If D is a context of length n and j4:DEN(12)(2i^) — ^ Set*^ is a family of Ai-sets 

indexed by elements of DEN {D){X), then 

a) D X A is a context of length n + 1 and 

DEN(i; X A){X) = {{x,y) \ x e DEN(E>)(A), y e (^(x))(A)} 

b) D(X) A is a context of length nXl and 

Em{D®A){Z) = {{x,yJ-)ef^’'^I)m{D){X)x{A{x)){Y)xM[Z,X(X,Y]} 

If D and E are objects of BIFam, then the morphisms between them are the fun- 
ctions between DEN(L))(2^^) and DEN(E’)(E). BIFam is Fam parametrized by 

Xi; objects that were interpreted in Set are now interpreted in Set*^. 

Now, by our earlier argument relating the indexed and contextual presentations of 
families of sets, BIFam can be seen as a functor category BIFam This 
is not quite the presheaf setting we require. However, if we calculate [Set*^]] = 

[Ctx:°P X M , Set] = [M x Ctx°P , Set] = [M , [CtxA^ , Set]] then this restores the indexed 
setting and also reiterates the idea that JY[ parameterizes Fam. The right-adjoint to 
®, given by Day’s construction, provides the isomorphism needed to define the linear 
dependent function space. 

Lastly, we say what the R and W components of the concrete model are. Define 
(i?, + ,0) = [M, -,e) and define {W,<) = C), where the quotient of M by the 

relation w ^ w ■ w is necessary because of the separation of worlds from resources 
(cf BFs semantics [22,15,19]). This allows us to define ffriw) = BIFam(r • w). The 
quotiented JY[ maintains the required properties of monotonicity and bifunctoriality of 
the internal logic forcing relation. We then check that BIFam (r -w) does simulate Jr{w), 
and that BIFam is a Kripke resource Avl-stmcture [12]. 

Theorem 3. BIFam: [Ad, Set]] is a Kripke resource XA-structure and can be 

extended to a Kripke resource model. □ 

Definition 9 above comprises the main part of the proof that BIFam is a Kripke 
resource structure. It describes how Ctx can have two kinds of extension. These exten- 
sions are then used to describe two kinds of function space in BIFam. For the linear 
case, for instance, Ax\A .B is defined as the following set 

{/ : BIFam(T)(A(a;)) ^ Uy{BIFam(2i ® T)(H(a;, j/)) ] j/ € BIFam(T)(A(a;))} | 

Va 6 BIFam(K)(A(a;)) /(a) 6 BIFam(X® K)(H(a;,a))} 

where x € BIFam (W)( 12). The intuitionistic function space is defined analogously, 
with the “resource” X over which the sets are defined staying the same. The natural 
isomorphism is given by abstraction and application in this setting. 

In order to extend BIFam to a model, the structure must have enough points to inter- 
pret the constants of the signature. We can work with an arbitrary signature and interpret 




Kripke Resource Models of a Dependendy-Typed, Bunched A-Calculus 



249 



constants and variables as the functors Const:jV[ — ^ Set and D:Ai — ^ Set respectively. 
The interpretation function |— IlMFam parametrized over worlds-resources X . The in- 
terpretation of contexts is defined using the same idea as the construction of the category 

Ctx: 



1. ® ; 2. [r,a;!A|^an, ~ X [Arl^am 



The interpretation of functions is defined using abstraction and application. We must 
also define instances of the functors join and share for this setting; these are defined 
along the same lines as those for the term model. Finally, satisfaction is a relation over 
M and [C'fx°f,Set] with the clauses reflecting the properties — in particular, those of 
application — of the example model: 

1. \= 2 j f:Ax:A.B [D] iff Y \= a:A [E] implies X(E)Y \=u f{a):B[a/x] [D(E>E]; 

2. X 1=2; f .nx-.A.B [D] if and only if X a:A [E] implies X f{a):B[a/x] [D x i?|. 
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Abstract. The notion of isomorphisms of types has many theoretical 
as well as practical consequences, and isomorphisms of types have been 
investigated at length over the past years. Isomorphisms in weak system 
(like linear lambda calculus) have recently been investigated due to their 
practical interest in library search. In this paper we give a remarkably 
simple and elegant characterization of linear isomorphisms in the setting 
of Multiplicative Linear Logic (MLL), by making an essential use of the 
correctness criterion for Proof Nets due to Girard. 



1 Introduction and Survey 

The interest in building models satisfying specific isomorphisms of types (or 
domain equations) is a long standing one, as it is a crucial problem in the de- 
notational semantics of programming languages. In the 1980s, though, some 
interest started to develop around the dual problem of finding the domain equa- 
tions (type isomorphisms) that must hold in every model of a given language. 
Alternatively, one could say that we are looking for those objects that can be 
encoded into one-another by means of conversion functions / and g without loss 
of information, i.e. such that the following diagram commutes 



/ 




3 



The seminal paper by Bruce and Bongo [5] addressed the case of pure first 
and second order typed A-calculus with essentially model-theoretic motivations, 
but due to the connections between typed A-calculus, cartesian closed categories, 
proof theory and functional programming, the notion of isomorphism of types 
showed up as a central idea that translates easily in each of those different but 
related settings. In the framework of category theory, Soloviev already studied 
the problem of characterizing types (objects) that are isomorphic in every car- 
tesian closed category, providing a model theoretic proof of completeness for the 
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theory Thyj, in Table 1 (actually [21] is based on techniques used originally 
in [15], while another different proof can be found in [16]). A treatment of this 
same problem by means of purely syntactic methods for a A-calculus extended 
with surjective pairing and unit type was developed in [4], where the relations 
between these settings, category theory and proof theory, originally suggested 
by Mints, have been studied, and pursued further on in [11], Finally, [7] provi- 
des a complete characterization of valid isomorphisms of types for second order 
A-calculus with surjective pairing and terminal object type, that includes all the 
previously studied systems (see table 1). 



(swap) {B ^ C) = B ^ {A^ C)}Th^ 

1. Ax B = B X A 

2. Ax {B xC) = {Ax B) xC 

3. {AxB)^C = A^{B^C) 

4. A^{BxC) = {A^ B)x{A 

5. AxT = A 

6. A ^ T = T 

7. T ^ A = A 

8. VA.Vy.A = W.VA.A 

9. vx.A = vy;A[y/x] ^ 

10. yX.{A^ B) =A^VX.B " 

11. VX.Ax B = VX.AxVX.B 

12. VA.T = T 

split VX.A xB = VX.Vr.A X {B[Y/X]) } 

A, B, C stand for any type, while T is a constant for the terminal type unit. 
Axiom swap in Th^ is derivable in Th\j< via 1 and 3. 

Table 1. Theories of isomorphisms for some type lambda calculi. 



C7) 






+ swap = Th? 



> - 10,11 = 



These results have found their applications in the area of Functional Pro- 
gramming, where they provide a means to search functions by type (see [18,19, 
17,20,9,8,10]) and to match modules by specifications [2]. Also, they are used in 
proof assistant to find proofs in libraries up to irrelevant syntactical details [6]. 

Linear isomorphisms of types Recently, some weaker variants of isomorphism of 
types showed to be of practical interest, linear isomorphism of types in particular 
(e.g. , for library search in databases), which correspond to the isomorphism of 
objects in Symmetric Monoidal Categories, and can be also described as the 

^ Provided X is free for T in A, and Y FTV (A) 

2 Provided X FTV{A) 
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isomorphism of types in the system of lambda calculus which corresponds to 
intuitionistic multiplicative linear logic. (A description of this system can be 
found in [22]). 

In [22] it was shown that the axiom system consisting of the axioms 1, 2, 3, 
5, and 7 defines an equivalence relation on types that coincides with the relation 
of linear isomorphism of types, and in [1] a very efficient algorithm for deciding 
equality of linear isomorphisms is provided; also, [12] provides a model theoretic 
proof of the result in [22] . 

In this paper, instead of studying linear isomorphisms of intuitionistic for- 
mulae, as is done when considering directly linear A-terms, we focus on linear 
isomorphisms of types inside the multiplicative fragment (MLL) of Linear Logic 
[13], which is the natural settings for investigating the effect of linearity. We 
should stress that isomorphisms in MLL are not the same as in linear lambda 
calculus: MLL is a richer system, allowing formulae, like and proofs that 

have no correspondence in linear lambda calculus, so we are investigating a fi- 
ner world. But a particularly nice result of this change of point of view is that 
the axioms for linear isomorphisms are reduced to a remarkably simple form, 
namely, to associativity and commutativity of the logical connectives tensor and 
par of MLL, plus the obvious axioms for the identities. 

For example, if we interpret implication A — ^ 5 in linear lambda calculus 
as linear implication A^B in Linear Logic, which in turn is equivalent to 
A^’^B, the isomorphisms T — t A = A becomes the simple identity isomor- 
phism _L^A = A. Similarly, currying ((A xB)^C = A^{B^ C)) becomes 
just associativity of the par connective {A^'d?B^)'d?C = A^{'d?B^'d?C) and Swap 
[A ^ [B ^ C) = B ^ [A ^ C)) becomes just A^(^i^^^C') = i^^(^A^^C'), 
which is a consequence of associativity and commutativity of par. 

Formally, isomorphisms of formulae in MLL is defined as follows: 
Definition 1 (Linear isomorphism) Two formulae A and B are isomorphic 



— A and B are linearly equivalent, i.e. \~ A^,B and \~ B^,A 

— there exists proofs of \~A^,B and hi^^,A that reduce, when composed by a, 
cut rule to obtain a proof of |-A^,A (resp. \~ B^ , B)) , to the expansion of 
the axiom hA^,A (resp \~B^,B) after cut elimination^. 

We show in this paper that two formulae A and B are linearly isomor- 
phic if and only if AC{(i>,^)\~A = B in the case of MLL without units, and 
ACI{(g>, '9) \- A = B in the case of MLL with units, where A(7(®, and ACI{(g>, '9) 
are defined in the following way: 

® That is to say, to the proof of h A^ , A obtained by allowing only atomic axioms. 
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Definition 2 (AC'((g),^)) Let AC denote the set constituted hy the four- 
following equations: 

X®Y = Y®X (A^V)^Z = 

XcY = YcX [X®Y)®Z = X®{Y®Z) 

AC{(E>,C) YA = B means that A = B belongs to the equational theory generated 
hy AC{(i), C) over the set of linear logic formulae; in other words, it means that 
the formulae are equal modulo associativity and commutativity of 'di and 



Definition 3 (AC'/((8), ^)) Let ACI[iE),'C) denote the set constituted hy the 
equations of AC[®,'d}) plus: 

X(E)l = X XC± = X 

ACI[®, C)Y A = B means that A = B belongs to the equational theory generated 
hy ACI{(E),C). 

As always, in the investigation of theories of isomorphic objects, the so- 
undness part is easy to prove: 

Theorem 4 (Isos soundness). If ACI{(i),C)Y A = B, then A and B are 
linearly isomorphic 

Proof. By exhibiting the simple nets for the axioms and showing context closure. 

All the difficulty really lies in the proof of the other implication, completeness: 
the rest of the article focuses on its proof. To do that, we use in an essential way 
the proof-nets of Girard. 

Let’s now recall some preliminary definitions from linear logic (but we refer 
to [13] for a complete introduction): 

Definition 5 (proof nets) A proof net is a structure inductively obtained star- 

ax 

ting from axiom links d IP- ma the three construction rules 




A®B A^B cut 



Definition 6 (simple nets) A proof net is simple if it contains only atomic 
axiom links (i.e. axiom links involving only atomic formulae). 

It is quite simple to show that 

Proposition 1 (ry-expansion of proof nets). For any (possibly not simple) 
proof net S , there is a simple proof net with the same conclusions, which we call 









254 



V. Balat and R. Di Cosmo 



Proof. This is done by iterating a simple procedure of 77 — expansion of non 
atomic axiom links, which can be replaced by two axiom links plus one par and 
one times link. 

This means that, as far as provability is concerned, one can restrict our at- 
tention to simple nets. We will show that also as far as isomorphism is concerned 
we can make this assumption. 

We first characterize isomorphic formulae in MLL without units, by reducing 
isomorphism to the existence of two particular proof-nets called simple bipartite 
proof-nets. Then we show that we can restrict to non-amhiguous formulae (that 
is, formulae in which atoms occurs at most once positive and at most once 
negative). This characterization in term of nets allows to prove completeness 
of AC[(i),>s) for MLL (without units) by a simple induction on the size of the 
proof-net. 

In the presence of units, we first simplify the formulae by removing all the 
nodes of the shape and IaA. Then we remark that isomorphisms for 

simplified formulae are very similar to the case without units. By showing a 
remarkable property of proof-nets for simplified formulae, we can indeed reduce 
the completeness proof to the case without units. 

The paper is organized as follows: reduction to simple bipartite proof-nets 
and non-ambiguous formulae will be detailed in sections 2 and 3. Then we will 
show the final result in section 4 before extending it to the case with units in 
section 5. 

2 Reduction to Simple Bipartite Proof Nets 

First of all, we formalize the reduction to simple nets hinted at in the introduc- 
tion. 

Definition 7 (tree of a formula, identity simple net) A cut-free simple 
proof net S proving A is actually composed of the tree of A, (named T[A)), 
and a set of axiom links over atomic formulae. We call identity simple net of A 
the simple cut-free proof net obtained by a full rj-expansion of the (generally not 
simple) net A A^. This net is made up ofT[A), T[A^) and, a, set of axiom 
links that connect atoms in T[A) with atoms in T[A^). 

Notice that, in simple nets, the identity axiom for A is interpreted by the identity 
simple net of A. 

A first remark, which is important for a simple treatment of linear isomor- 
phisms, is that we can focus, w.l.o.g., on witnesses of isomorphisms which are 
simple proof nets. 

Lemma 1 (Simple vs. non-simple nets). If a (non-simple) net S reduces 
via cut- elimination to S', then the simple net rj[S) reduces to r][S'). 
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Proof. It is sufficient to show that if S>iS' (one step reduction), then r][S)\>*ri[S') 
(arbitrary long reduction). If the redex R reduced in S does not contain any 
axiom link, then exactly the same redex appears in rj[S) that can therefore be 
reduced in one step to Otherwise R contains an axiom link, that may be 

non atomic (if the axiom link is atomic, then the considered redex is exactly 
the same in S and rj{S) and the property is obvious). If F is non atomic and 
F F^ is the cut link of R, let n be the number of atoms of F (counted with 
multiplicity). Then n — 1 is the number of connectives in F, and rj{S) can be 
reduced to rj{S') in 2n — 1 steps (n — 1 steps to propagate the cut link to atomic 
formulae, and n steps to reduce every atomic axiom link produced this way). 

Theorem 8 (Reduction to simple proof nets). Two formulae A and B are 

isomorphic iff there are two simple nets S with conclusions , B and S' with 
conclusions B^,A that when composed using a cut rule over B (resp. A) yield 
after cut elimination the identity simple net of A (resp. B). 

Proof. The ‘if’ direction is trivial, since a proof net represents a proof and cut 
elimination in proof nets correspond to cut elimination over proofs. 

For the ‘only if’ direction, take the two proofs giving the isomorphism and build 
the associated proof nets S and S'. These nets have as conclusions A^,B (resp. 
B^,A), and we know that after composing them via cut over B (resp. A) and 
performing cut elimination, one obtains the axiom net of A (resp. B). Now take 
the full ? 7 -expansions of S and S' as the required simple nets: by lemma 1, they 
reduce by composition over B (resp. A) to the identity simple net of A (resp. 
B). 



We will show now that if two formulae are isomorphic then the isomorphism 
can be given by means of proof nets whose structure is particularly simple. 

Definition 9 (biprurtite simple proof-nets) A cut-free simple proof net is 
bipartite if it has exactly two conclusions A and B, and it consists ofT{A), 
T[B) and a set of axiom links connecting atoms of A to atoms of B, but not 
atoms of A between them or atoms of B between them (an example is shown in 
figure 1 ). 



Lemma 2 (cuts and trees). Let S be a simple net (not a proof net) without 
conclusions built out of just T [A) and T[A^), with no axiom link, and the cut 
A A^ . Then cut- elimination on S yields as a result just a, set of atomic cut 
links Pi p(- between atoms of A and atoms of A^ . 

Proof. This is a simple induction on the size of the net. 

Theorem 10 (Isomorphisms are bipartite). Let S be a cut-free simple proof 
net with conclusions A^ and B, and S' be a cut-free simple proof net with con- 
clusions B^ and A. If their composition by cut gives respectively the identity 
simple net of A and B, then S and S' are bipartite. 
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Fig. 1. The shape of a bipartite proof net. 



Proof. We actually show the contrapositive: if S or S' is not bipartite, then 
their composition by cut is not bipartite, hence is not an identity proof net. By 
symmetry, we can assume w.l.o.g. that S is not bipartite, and contains an axiom 
link between two atoms of A^. We claim that the composition of S and S' by 
cut over B is not bipartite. 

Since S and S' are cut-free, their composition only contains a single cut link 
(between B and B^). Since S and S' are simple, every axiom link of their 

composition is atomic. Hence every (atomic) axiom link of the net S_ Sf_ that is 

reduced by cut elimination is connected to an atom of B or B^ . In particular, 
the axiom link of S only connected to atoms of A is not reduced. This proves 

that cut elimination in S_ Sf_ does not lead to a bipartite net. 

As a consequence, the theorem holds. 



3 Reduction to Non-ambiguous Formulae 

To prove the correctness theorem, we first show that one can restrict our study 
to non-ambiguous formulae, i.e. to formulae where each atom appears only once 
positive and one negated. 

Definition 11 (non-ambiguous formulae) We say tha,t a formula A is non- 
ambiguous if each adorn, in A occurs at most once positive and at most once 
negative. For example, AS)B and AaA-^ are non-ambiguous, while A<S)A is not. 

In the following, we will call substitution the usual operation [GifAi, ...Gn/An] 
of replacement of the propositional atoms Ai of a formula by the formulae Gi. 
A substitution will be denoted by greek letter ci, r, ..., and we will also consider 
substitutions extended to full proof nets, i.e. if A is a proof net, cf[R) will be 
the proof net obtained from R by replacing all formulae Fj appearing in it by 



But we will also need a weaker notion, renaming, that may replace different 
occurrences of the same atom by different formulae in a net. 
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Definition 12 (renaming) An application a from the set of occurrences of 
atoms in a proof net R to a set of atoms is a renaming if a[R) (the net obtained 
by substitution of each occurrence p of an atom, of R by a[p) ) is a correct proof 
net. 

Note that if R is simple, the definition of a only on the occurrences of atoms 
in axiom links is sufficient to define a on every occurrence in R. If R is simple 
and bipartite, then the definition of a only on the occurrences of atoms in one 
conclusion of R is sufficient to define a on every occurrence in R. 

Note also that, if the conclusions of R are ambiguous formulae, then two different 
occurrences of the same atom can be renamed differently, unlike what happens 
in the case of substitutions. 

As expected, a non-ambiguous formula can only be isomorphic to another 
non-ambiguous formula. 

Lemma 3 (non-ambiguous isomorphic formulae). Let A and B be isomor- 
phic formulae, and, cx a, renaming such that a[A) is non-ambiguous , then a[B^) 
is non-ambiguous. 

Proof. If A and B are isomorphic formulae, then (by theorem 10) there exist a 
bipartite proof net with conclusions A, B^. Since o is a renaming, there also 
exists a bipartite proof net with conclusions a[A), a[B^). Then, a[A) and a[B^) 
have exactly the same atoms. And since a[A) is non-ambiguous, a[B^) is also 
non-ambiguous. 

We now prove that isomorphism is invariant by renaming. 

Theorem 13 (renaming preserve isomorphisms). If A and B are linearly 
isomorphic, let R and R' be the associated simple proof nets (with conclusions 
A^, B and B^ , A respectively). If a is a renaming of (the occurrences of) the 
atoms of R, then there exists a', a renaming of the atoms of R' such that a' [A) 
and a[B) are isomorphic, i.e.: 

— a'[R') is a correct proof net. 

— a[A^) = (q;'(l1))^ a,nd, a'[B^) = (a[B))^ 

— The composition of a[R) and a'[R!) by cut over a[B) (resp. a' [A)) gives 

the identity simple net of a' [A) (resp. a[B)). 

Proof. We first have to define a' . Since (by theorem 10) R! is bipartite, it is 
sufficient to define a' only on the occurrences of B^, i.e. to define a'[B^). So one 
can define: cx'[B^) = [cx[B))^ . Then the composition of cx[R) and cx'[R!) by cut 
over if is a correct proof net. And since reduction of proof nets does not depend 
on labels, this composition reduces to an identity net with conclusions a[A^) 
and a' [A). An easy induction (on the number of connectives of Ci[A)) shows that 
? 7 -reduction in this net gives an axiom link. One then has a[A^) = {a'{A))\ 
But then, the composition of a'[R!) with a[R) by cut over a'[A) is a correct 
proof net, that reduces to an identity net (since reduction of proof nets does not 
depend on labels) that is the identity simple net of a[B). 

Hence, a'[A) and a[B) are isomorphic. 




258 



V. Balat and R. Di Cosmo 



We are finally in a position to show that we can restrict attention to non- 
ambiguous formulae. 

Lemma 4 (ambiguous isomorphic formulae). Let A and B he isomorphic 
formulae such that A is ambiguous, then there exists a substitution a and for- 
mulae A' and B' non-ambiguous such that A' and B' are isomorphic formulae, 
and A = cr[A') and B = a[B'). 

Proof. Let R and R' be bipartite proof nets with conclusions B^, A and A^, B 
respectively associated to the isomorphism between A and B. Since it is sufficient 
here to define a only on occurrences of atoms of A, one can define a renaming 
a such that a[A) has only distinct atoms (i.e. no atom of a[A) occurs twice 
in a[A), even once positively and once negatively). In particular, a[A) is non- 
ambiguous. Then, theorem 13 gives an algorithm for defining a renaming a' 
such that a{A) and a'{B) are isomorphic: in particular a'[A^) = (q;(j 4))^ and 
a{B^) = {a'{B))^. 

Let A' = a[A) and B' = a'[B). By theorem 13, A' and B' are isomorphic 
and a[R) has conclusions A' and B'^. 

On a[R) one can define a renaming such that a^"^[A') = A, and hence 

cx-^{B'^) = B^. 

Since a[R) is bipartite, it is equivalent to define on occurrences of R, 
or only on occurrences of atoms of A . But since all atoms of A' are distinct, 
two distinct occurrences of atoms of A correspond to distinct atoms of A . One 
can then define a substitution a on atoms of A by: cr[p) = a^"^[Occ[p)) where 
Occ[p) is the single occurrence of the atom p in A . 

Thus, R = a~^[a{R)) = o[a[R)): in particular cr[A) = A and (j[B'^) = 
o-[a[B^)) = a^^{a{B^)) = B^, so o-{B') = B. 

Finally, A and B' are isomorphic non-ambiguous formulae such that (j(A) = 
A and a(B') = B. 



Corollriry 1 (reduction to non-ambiguous formulae). The set of couples 
of isomorphic formulae is the set of instances (by a substitution on atoms) of 
couples of isomorphic non-ambiguous formulae. 

Proof. We show each inclusion separately. 

Let A and B be two isomorphic formulae. By lemma 4, A and B are instances 
of two non-ambiguous isomorphic formulae A and B' (eventually A = A and 
B = B'). 

Conversely let C and D be isomorphic formulae and ci be a substitution 
on atoms of C (and then also on atoms of D). Let R and R' be two bipartite 
proof nets associated to C and D. The substitution a defines on R a. renaming 
a (any substitution can be seen as a renaming). Let a' be the renaming defined 
on R' , associated to a as in theorem 13. Since a[C^) = o;(C'^) = (o;'(C'))^, a' 
is also the renaming induced by o on R! . By theorem 13, a[G) and a[D) are 
isomorphic. Hence o[G) and o[D) are isomorphic. 
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Hence, in what follows, we can focus only on non-ambiguous formulae. 

We are now able to show that for non-ambiguous formulae the very existence 
of bipartite simple nets implies isomorphism. 

Theorem 14 (bipartite simple nets for non-ambiguous formulae). Let 

S be a bipartite simple proof net over and B, and S' a bipartite simple proof 
net over B^ and A. Then their composition by cut over B reduces to the identity 
simple net of A (resp. their composition by cut over A reduces to the identity 
simple net over B ). 




Proof. Consider the composition of S and S' by cut over B (see figure). 

By lemma 2, cut elimination in the subnet T[B) T{B^) gives a set of atomic 
cut links between atoms of B and atoms of B^. Since S and S' are bipartite, 
each such atomic cut link 

is connected to an atomic axiom link between an atom of A^ and an atom 
of B, and to an atomic axiom link between an atom of B^ and an atom of A. 
Now, the net only contains atomic redex composed of cut and axiom links. The 
reduction of these redex gives the identity tree of A (since there is no axiom link 
connecting atoms of A — resp. (^H) between them). 




Theorems 14 and 10 have the following fundamental consequence. 
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CorollEiry 2. Two linear non-amhiguous formulae A and B are isomorphic iff 
and, only if there exists simple bipartite proof nets having conclusions A-^ , B, and 
B^,A. 

4 Completeness for Isomorphisms in MLL 

Using the result of the above section, and the following simple lemma, we can 
prove our main result, i.e. completeness of AC[(i), for MLL without constants. 

Lemma 5 (isomorphic formulae). If A and B are linearly isomorphic, then 
they are both, either ^-formulae, or ®-formulae. 

Proof. Actually, one ^-formula and one (8)-formula can not be isomorphic. If 
Ai^A 2 and A^^AA^ were isomorphic, then there would exist a simple bipartite 
proof-net with conclusion [Aj^AA^) , {A^<AA 4 ), which is impossible because such 
a net does not have a splitting (terminal) tensor, since removing one of both 
terminal tensor links does not give two disconnected graphs (by bipartiteness). 
Hence two isomorphic formulae must be both, either ^-formulae, or (8)-formulae. 



Theorem 15 (Isos completeness). If A and B are linearly isomorphic, then: 
4(7(0, A) HA = B. 

Proof. By induction on the size of the simple bipartite proof net, given by the 
isomorphism, with conclusions A^,B. 

If A and B are atomic, then the property is obvious. 

Else the formulae A^ and B are both non atomic (since the net is bipartite, 
they must contain the same number of atoms). Moreover, (by lemma 5) since A 
and B are isomorphic, one of the formulae A^, S is a 0-formula and the other 
one a 0-formula. One can assume, w.l.o.g., that i? is a 0-formula, and A^ a 
0-formula. 

Now, removing all dangling 0 nodes in the proof net with conclusions 4^, 
B gives a correct proofs net with conclusions of the form A^, . . . ,Aj:,Bi®B 2 . If 
one of the formulae 4f , . . . , Ajp contains a tensor node, removing it does not lead 
to two disconnected graphs, since (by bipartiteness) every atom of A^, . . . ,4^ 
is connected to the formula Bi®B 2 - 
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The splitting tensor node (that must exist due to Girard’s correctness crite- 
rion) is necessarily the Bi®B2 node. Removing it yields, due to the correctness 
criterion, two disconnected proof nets, which are still simple since the axiom 
links were not modified. 

We can recover from these nets two bipartite simple proof nets (a bipartite 
proof net must have exactly two conclusions) by adding ^-links under the Ai 
(because of the order of the A^ does not matter). This constructs 

two formulae (connected with Bi) and (connected with B2)- The nets 
that we obtain contain at least one link less than the original net, and thus, are 
strictly smaller. It only remains to verify that Bi and A'^ are isomorphic, and 
that B2 and A'2 are isomorphic, so that we can apply the induction hypothesis. 




To do that, we use the fact that the two initial formulae are isomorphic. 
If we put the initial ^ and ® back, we obtain two formulae A' and B, that 
are isomorphic (by theorem 4 ). There exists a simple bipartite proof-nets with 
conclusions A' and B^ . Since the formulae are non-ambiguous, we can extract 
from this proof-net to simple bipartite proof-nets; one with conclusions A'l and 
B^ , the other with conclusions A'2 and B;^. Hence, by theorem 14 , A) and Bi 
are isomorphic, and A'2 and B2 are isomorphic. 




By induction hypothesis, AC{<E), T”) b A'-^ = B\ and AC{®, ^)\~ A'2 = B2, and 
thus AC[®,^)\- A' = B. We can conclude using the fact that AC[®,^)\- A = 
A'. 

5 Handling the Units 

We have shown above soundness and completeness result for the theory of iso- 
morphisms given in the introduction w.r.t. provable isomorphisms in MLL. This 
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essentially corresponds to isomorphisms in all ^-autonomous categories, which 
is a superset of all Symmetric Monoidal Closed Categories (SMCC’s ) without 
units. Nevertheless, if we want to get an interesting result also in terms of mo- 
dels, and handle then also SMCC’s in their full form, we need to be able to add 
units to our treatment. 

5.1 Expansions of Axioms with Units: Identity Simple Nets 
Revisited 

In the presence of the units 1 and especially _L, proof nets in general get more 
involved, as _L forces the introduction of the notion of box for which we refer the 
interested reader to [13], where a detailed explanation is presented. 

For our purpose, it will suffice to recall here the proof-net formation rules for 
the units: 



1 



I r 
r ± 



Now, the expansion of an axiom can contain boxes, if the axiom formula involves 
units; for example, the axiom h (ACl) gets fully ?/-expanded into: 







5.2 Reduction of Isomorphisms to Simplified Formulae 

First notice that a formula of the shape l(i)A is always isomorphic to A, and 
_L^A is isomorphic to A. 

Definition 16 (simplified formulae) A formula is called simplified if it has 
no sub-formula of the shape Id) A or Ahs’A (where A is a,ny formula). To each 
formula A, we associate the formula s(A) obtained by normalizing A w.r.t the 
following canonical (confluent and strongly normalizing) rewriting system: 

1<E)A A A<E)l -t A ±>S’A -t A A^± -t A 

We can restrict our attention to simplified formulae using the following theorem: 

Theorem 17. Two formulae A and B are linearly isomorphic if and only if 
s{A) and s[B) are linearly isomorphic. 

Proof. We first show that l(i)A is isomorphic to A, and is isomorphic to 

A, and conclude using the fact that linear isomorphism is a congruence. 
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5.3 Completeness with Units 

For simplified formulae, the proof of completeness is very similar than in the 
case without units. We just have to extent the definition of bipartite simple 
proof-nets: 

Definition 18 (bipartite simple proof-nets) A cut-free simple proof-net is 
bipartite if it has exactly two conclusions A and B, and it consists of 

— T{A), T{B) 

— a set of axiom links connecting atoms of A to atoms of B, hut not atoms of 
A between them or atoms of B between them 

— and boxes with at least one conclusion in T[A) and at least one conclusion 
mT{B). 

Theorem 19. Let A and B be two simplified formulae. Let S be a cut-free 
simple proof net with conclusions A^ and B, and S' be a cut-free proof net with 
conclusions B^ and A. All the boxes in S and S' are boxes containing only the 
constant 1. 

Proof. In this proof, let nf and denote respectively the number of 1 and the 
number of T in the proof-net X. 

— The case where A or is a constant is obvious. 

— Otherwise, all the occurrences of the constant 1 in the two proof-nets are one 
of the two sub-terms of a ^-link. The only way to have these two sub-terms 
connected (which is necessary to make a proof-net) is to put the 1 in a box. 
Each of these boxes correspond to a distinct _L. From there we deduce that 

> nf, and nf > nf . 

— But nf = nf , nf = nf. Hence nf = nf. Thus there is no box with 
somewhat else than an 1 in S. Idem for S' . 

It is easy to show that boxes of that kind behave like axiom links for cut- 
elimination. It suffices to remark that the only possible case of cut-elimination 
involving boxes in such a proof-net is the following one: 



1 



1 



1 T 



1 T 



that reduces to 

T 

1 T 

Thus units can be viewed exactly as atoms in this case, and we can proceed 
precisely as in the case without units to prove that 

Theorem 20. If A and B are linearly isomorphic, then HU)®, h s(H) = 
s{B). 




264 



V. Balat and R. Di Cosmo 



Hence 

Theorem 21 (Isos completeness with units). If A and B are linearly iso- 
morphic, then ACI[®,^)\- A = B . 

6 Conclusions 

We have shown that in MLL the only isomorphisms of formulae are given by 
the most intuitive axioms, namely associativity and commutativity, only. Besi- 
des the interest of the result on its own, this gives a very elegant symmetrical 
interpretation of linear isomorphism in linear lambda calculus, and provides a 
justification of the fact, observed several times in the past, that currying in fun- 
ctional programming correspond to “a sort of” associativity (this happens in 
the implementation of abstract machines, as well as in the coding of lambda 
terms into Berry’s CDS [3]). Our result confirms once more that Linear Logic 
is a looking glass through which fundamental properties of functional compu- 
tation appear symetrized and simplified. It should also be remarked that the 
axiom links from Linear Logic play a similar role to the formula links originally 
introduced by Lambek in his study of SMC objects [14], and that proof nets 
were really the missing tool to understand linearity. In proving the result, we 
used essentially the topological properties of the proof nets of linear logic, which 
simplified enormously our task (for example, the reduction to non ambiguous 
formulae when working directly with lambda terms is far more complex than 
here, where the axiom links allows us to give an elegant proof). 
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Abstract. We define choice logic programs as negation-free datalog programs 
that allow rules to have exclusive-only disjunctions in the head. We show that 
choice programs are equivalent to semi-negative datalog programs, at least as far 
as stable models are concerned. We also discuss an application where strategic 
games can be naturally formulated as choice programs; it turns out that the stable 
models of such programs capture exactly the set of Nash equilibria. 

Keywords: nondeterminism, choice, logic programs, stable model semantics, 
game theory 



1 Introduction 

Stable model semantics [2] can be regarded as introducing nondeterminism into logic 
programs, as has been convincingly argued in [11,9]. E.g. aprogram such as 

has no (unique) total well-founded model but it has two total stable models, namely 
{p, -!(/} and {-ip, q}, representing a choice between p and q. This nondeterminism may 
not show up in the actual models, as in the program 

q^-'P 

p ->p 

where only the choice {p, -i(/} turns out to he acceptable (the alternative leading to a 
contradiction). 

In this paper, we simplify matters by providing for explicit choice sets in the head 
of a rule. Using p © (/ to denote a choice between p and q, the first example above can 
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be rewritten as ' . 

p© g <— 

Intuitively, © is interpreted as “exclusive or”, i.e. either p or q, but not both, should be 
accepted in the above program. 

It turns out that such choice programs, which do not use negation in the body, can 
meaningfully simulate arbitrary semi-negative logic programs, at least as far as their 
(total) stable model semantics are concerned. Since also the converse holds, we can 
conclude that, in a sense, choice is equivalent to negation. 

Providing explicit choice as the conclusion of a rule allows for the natural expression 
of several interesting problems. In this paper, we show e.g. that strategic games[6] can be 
conveniently represented using choice programs. Moreover, the stable models of such a 
program characterize exactly the pure Nash equilibria of the game. 

2 Choice Logic Programs 

In this paper, we identify a program with its grounded version, i.e. the set of all ground 
instances of its clauses. This keeps the program finite as we do not allow function symbols 
(i.e. we stick to datalog). 

Definition 1. A choice logic program is a finite set of rules of the form A B where 
A and B are finite sets of atoms. 

Intuitively, atoms in A are assumed to be xor’ed together while B is read as a conjun- 
ction. In examples, we often use © to denote exclusive or, while is used to denote 
conjunction. 

Example 1 (Prisoner’s Dilemma). The following simple choice logic program models 
the well-known prisoner’s dilemma where di means “player i does not confess” and Ci 
stands for “player i confesses”. 



dl © Cl i — 

d2 ® C2 

Cl d2 
Cl ^ C2 
C2 dl 

C2 Cl 

The semantics of choice logic programs can be defined very simply. 

Definition 2. Let F be an choice logic program. The Herbrand base of F, denoted B p, 
is the set of all atoms occurring in the rules of F. An interpretation is any subset of Bp. 
An interpretation 1 is a model of F if for every rule A ^ B, B C 1 implies that I n A is 
a singleton. A model of F which is minimal (according to set inclusion) is called stable. 

Example 2 (Graph 3-colorability). Given the graph depicted in Fig. 2 assign each node 
one of three-colors such that no two adjacent nodes have the same color. 

' Also the second example can be turned into a negation-free “choice” program, see theorem 2 
below. 
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Fig. 1. Example graph which is 3-colorable. 



This problem is know as graph 3-colorability and can be easily transformed in the 
following choice program: 

color[N, b) © color[N, y) © color[N, r) node[N) 

edge[N, J), color[N, C), colored, C) 

node[a) <— 
node[b) <— 
node[c) <— 
node[d) <— 
node[e) <— 
edge[a, b) <r- 
edge[a, c) <— 
edge[a, d) <— 
edge{b, c) <— 
edge{b, e) <— 
edge[c, d) <— 
edge[d, e) <— 

The first rule states that every node should take one and only one of the three available 
colors: black (b), yellow (y) or red (r). The second demands that two adjacent nodes 
have different colors. All the other rules are facts describing the depicted graph. 

The stable models for this program reflect the possible solutions for this graph’s 
3-colorability: 



U {color-[a, b), color-[b, r), color[c, y), colored, r), color[e, b)} 

N2 = F U {color- [a, b), color [b, r), color [c, y), colored, r), color [e, y)} 

Ns = F U {color[a, b), color-[b, y), color[c, y), colored, y), color^e, b)} 

N4 = F U {color- [a, b), color [b, y), color [c, r), colored, y), color [e, r)} 
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= F U {color-[a, r), color-[b, y) ,color-[c, b), colored, y), color[e, b)} 
Ne = F U {color- [a, r), color- [b, b), color [c, y), colored, b),color-[e,y)} 
Nr = F U {color- [a, r), color- [b, b), color [c, y), colored, b),color-{e,r)} 
Ns = F U {color- [a, r), color- [b, y) ,color-[c, b), colored, y), color [e, r)} 
Nq = F U {color-[a, y), color-[b, r) ,color-[c, b), colored, r), color[e, b)} 
Nio = F U {color-[a, y), color-[b, r) ,color-[c, b), colored, r), color[e, b)} 
N II = F U {color [a, y), color- [b, b), color [c, r), colored, b),color-{e,r)} 
Ni 2 = F U {color- [a, y), color- [b, b), color [c, r), colored, b),color-[e,y)} 



where F stands for the sets of facts from the program. 

It turns out that choice logic programs can simulate semi-negative datalog programs, 
using the following transformation, which resembles the one used in [10] for the trans- 
formation of general disjunctive programs into negation-free disjunctive programs. 

Definition 3. Let P be a semi-negative logic program. The corresponding choice logic 
program P(^ can be obtained from P by replacing each rule r : a B, from P with 
B UC C Bp and C f lb, by 



Or © Kc B (rj) 

a ttr {r'2) 

Me ^ C ■ Kc c (r-f) 

where and Kc are new atoms that are uniquely associated with the rule r. 

Intuitively, Kc is an “epistemic” atom which stands for “the (non-exclusive) disjun- 
ction of atoms from G is believed”. If the positive part of a rule in the original program 
P is true, ©0 will choose (rules r j) between accepting the conclusion and Kc where G 
is the negative part of the body; the latter preventing rule application. Each conclusion 
is tagged with the corresponding rule {rf), so that rules for the same conclusion can be 
processed independently. Finally, the truth of any member of G implies the truth of Kc 
(rules rf). 

Definition 4. Let P be a semi-negative logic program and let P 0 be the corresponding 
choice logic program. An interpretation 1 for ©0 is called rational iff: 

MKc el-InGfb 

Intuitively, a rational interpretation contains a justification for every accepted Kc- 

Theorem 1. Let P be a semi-negative datalog program. M is a rational stable model 
of Pc, iff M (1 Bp is a (total) stable model of P. 

The rationality restriction is necessary to prevent Kc from being accepted without 
any of the elements of G being true. For positive-acyclic programs, we can get rid of 
this restriction. 
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Definition 5. A semi-negative logic program P is called positive-acyclic iff there is an 
assignment of positive integers to each element of Bp such that the number of the head of 
any rule is greater than any of the numbers assigned to any non-negated atom appearing 
in the body. 

Note that, obviously, all stratified[8] programs are positive-acyclic. Still, many other 
“nondeterministic” programs such as 



are also positive-acyclic. 

Theorem 2. Let P be a semi-negative positive-acyclic datalog program. There exists a 
choice logic program Pc such that M is a stable model of Pc iff M r\ Bp is a stable 
model of P. 

We illustrate the construction underlying theorem 2 on the following program. 

P^-'Q 

p —ip 

q^-'P 

The equivalent choice logic program is 

<— 

q(S>q- ^ 

p- ^p,q 
q- ^ p 
p^q- 

p p~ 

q^p- 

Intuitively, p stands for “there is a proof for p” while p~ stands for “there is no proof 
for p”. The first two rules force the program to choose between these alternatives for 
every atom in the program. The rules concluding p^ (or q^) are constructed in such a 
way that the truth of the body effectively blocks all possible proofs for p (resp. q). Note 
that the example has a single stable model {p, q^ } which corresponds to the original’s 
stable model {p, 

Choice programs can be trivially simulated by semi-negative datalog programs. 

Theorem 3. Let P(p be a choice program. There exists a semi-negative datalog program 
P such that M is a stable model of Pq, iff M is a stable model of P. 

3 Computing Stable Models 

Stable models for choice logic programs can be computed by a simple “backtracking 
fixpoint” procedure. Essentially, one extends an interpretation by applying an imme- 
diate consequence operation, then makes a choice for every applicable rule^ which is 

A rule A ^ B is applicable w.r.t. an interpretation / iff i? C /. 



2 
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not actually applied^, backtracking if this leads to an inconsistency (i.e. the current 
interpretation cannot be extended to a model). 



function ^x(set<atom> N): set<atom> 

{ 

set<atom> M = 0; 
repeat 

for each B) 6 L* do 

if B Q M A3a ^ A ■ a ^ M U N f\ [A \ {a}) C N then 
Af = Af U {a} 

until no change in M 
return M 

} 



Fig. 2. fix is an auxiliary function for BF. 



Figure 3 on page 272 presents such a fixpoint computation procedure BF which is 
called by the main program using 



BF(fix(M- 

We believe this procedure to be simpler than a similar one presented in [11] for semi- 
negative logic programs. BF uses an auxiliary function yir depicted in Fig. 2 on page 271. 
Fix is a variation on the immediate consequence operator: it computes the least fixpoint 
of this operator given a fixed set N of atoms that are considered to he false. Note that 
fix is deterministic since it only draws tentative conclusions from an applicable rule if 
there is but one possible choice for an atom in the head that will be true. 

The main procedure BF in Fig. 3 takes two sets of atoms, M and N , containing the 
atoms that already have been determined to be true and false, respectively. Note that, 
because M = fix[N) upon entry, there are no applicable rules in F that have but one 
undefined atom in the head. The procedure BF works by first verifying that no rules are 
violated w.r.t. the current M and N (see the definition of V in Fig. 3). It then computes 
the set C of applicable (but unapplied) rules for which a choice can be made as to the 
atom from the head that needs to be true in order to apply the rule. If there are no such 
rules, we have a model. Otherwise, the algorithm successively selects a rule r from C 
and a possible choice c from the head of r that would make it applied. This choice is 
“propagated” using fix, after which BF is called recursively using the new versions of 
M and Nf 

Theorem 4. Let P be a choice logic program. Then BF(fix(ll)),ll)), where BF is described 
in Fig. 3 terminates and computes exactly the set of stable models of F. 

Note that, because of theorem 1, BF can be easily modified to compute the stable 
models of any semi-negative logic program through its equivalent choice logic program. 

^ An applicable (w.r.t. an interpretation I) rule is applied iff A n / is a singleton. 

Clearly, the algorithm can be made more efficient, e.g. by memoizing more intermediate results. 
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procedure BF{M, N :set<atom>) 

{ 

set<rule> V = {( 2 I ^B)ePIBCMa (#(A n M) > 1 V A C iV)} 
if {V / 0) 

return /* because some rules are violated */ 
set<rule> C = B) E B \ B E M A #(A \ (Af U N)) > 1} 

if {C = 0) 

output M 

else 

for each [[A ^ B) € (7) { 

set<atom> c = A \ (M U N) 

for each (a 6 (7) { 

N = NU{c\ {a}) 

BF(fix{N),N) 

} 

} 

} 

Fig. 3. The BF (backtracking fixpoint) procedure for Choice Logic Programs. 



Bach 
Stravinsky 

Fig. 4. Bach or Stravinsky (BoS) 



Bach Stravinsky 



2,1 


0,0 


0,0 


1,2 



4 An Application to Strategic Games 

A strategic game models a situation where several agents (called players) independently 
make a decision about which action to take, out of a limited set of possibilities. The 
result of the actions is determined by the combined effect of the choices made by each 
player. Players have a preference for certain outcomes over others. Often, preferences 
are modeled indirectly using the concept of payojf wh&m players are assumed to prefer 
outcomes where they receive a higher payoff. 

Example 3 (Bach or Stravinsky). Two people wish to go out together to a music concert. 
They can choose for Bach in one theater or for Stravinsky in another one. Their main 
concern is to be together, but one person prefers Bach and the other prefers Stravinsky. 
If they both choose Bach then the person who preferred Bach gets a payoff of 2 and the 
other one a payoff of 1. If both go for Stravinsky, it is the other way around. If they pick 
different concerts, they both get a payoff of zero. 

The game is represented in Fig. 4. One player’s actions are identified with the rows and 
the other player’s with the columns. The two numbers in the box formed by row r and 
column c are the players’ payoffs when the row player chooses r and the column player 
chooses c, the first component being the payoff of the row player. 

Definition 6 ([6]). A strategic game is a tuple {N, (Ai)ig ^ n ) where 
- N is a finite set of players; 
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- for each player i a N , is a nonempty set of actions that are available to her (we 

assume that Ai C\ Aj = ^ whenever i f j) and, 

- for each player i e N, >i is a preference relation on A = x jg nAj 

An element slCE A is called a profile. For a profile a we use 34 to denote the component 
of 3 in Ai- For any player i e N, we define A-i = Xj4N\{i}Aj. Similarly, an element 
ofA^i will often be denoted as 3. i. For 3. i G A_i and G Ai we will abbreviate as 
(a_i , tti) the profile sl £ A which is such that 3 .'i = ai and 3! j = scj for all j f i. 

Playing a game {N , {Ai)i(z^, consists of each player i e N selecting a 

single action from the set of actions Ai available to her. Since players are thought to 
be rational, it is assumed that a player will select an action that leads to a “preferred” 
profile. The problem, of course, is that a player needs to make a decision not knowing 
what the other players will choose. 

The notion of Nash equilibrium shows that, in many cases, it is still possible to limit 
the possible outcomes (profiles) of the game. 

Definition 7. A Nash equilibrium of a strategic game {N, (2lj) ieN) pro- 

file a* satisfying 

Voi G Ai ■ (3.*_i,a*) >i (a*_i,ai) 

Intuitively, a profile a* is a Nash equilibrium if no player can unilaterally improve 
upon his choice. Put in another way, given the other players’ actions a*_i, a| is the best 
player i can do^. 

Given a strategic game, it is natural to consider those moves that are best for player 
i, given the other players’ choices. 

Definition 8. Let {N, {Aifi^^^, (>i)i(=Ar) be a strategic game. The best response func- 
tion Bi for player i £ N is defined by 



Bifa-i) = {tti G Ai I Va- G Ai ■ (a_i,ai) >i (a_i,a-)} 

The following definition shows how games allow an intuitive representation as choice 
logic programs. 

Definition 9. Let G = {N, {Aifi^^^, (>i)i(=Ar) be a strategic game. The choice logic 
program Fa associated with G contains the following rules: 

- For each player i. Pa contains the rule Ai . This rule ensures that each player i 
chooses exactly one action from A^ 

- For each player i and for each profile a G A^i, Fq contains a rule^ Bfia) m /t 
models the fact that a player will select a “best response ”, given the other players ’ 
choices. 

Essentially, Pq simply forces players to choose an action. Moreover, the action 
chosen should be a “best response” to the other players’ actual choices. 

^ Note that the actions of the other players are not actually known to i. 

^ We abuse notation by writing a for the set of components of a. 
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Theorem 5. For every strategic game G = {N, (>i)i£Ar) there exists a choi- 

ce logic program Pa such that the set of stable models of Fg coincides with the set of 
Nash equilibria of G. 

Example 4. Let us reconsider the Bach or Stravinsky game of example 3. This game has 
two Nash equilibria, namely: 

[Bachi, Bach 2 ) and [Stravinsky i, Stravinsky 2 ) 

The corresponding choice logic program is: 

&! © Si ■< — 

fel © S2 ^ 
bi &2 

51 S2 

62 bi 

52 ^ Si 

where p and si are shorthands for player i choosing respectively Bach or Stravinsky. 
This program has two stable models, namely {si, S 2 } and { 61 , 62 } that correspond to 
the Nash equilibria of the game. 

Example 5. The program in example 1 is the choice logic program corresponding to 
the strategic game depicted in Fig. 5. Flere two prisoners are interrogated in separate 



Do not confess 
Confess 



Do not confess Confess 



3,3 


0,4 


4,0 


1,1 



Fig. 5. Prisoner’s Dilemma 



rooms. Each one must decide whether or not to confess. Confessing implicates the other 
prisoner and may result in a lighter sentence, provided the other prisoner did not confess. 
This game has one Nash equilibrium 

{Confess-^, Confess 2 } 

corresponding the single stable model of the program of example 1 . 

Note that the construction of Pq can be regarded as an encoding of the fact that the 
rationality and preferences of the players are common knowledge, as all rules interact 
and “cooperate” to verify atoms. This observation opens the possibility of extending the 
present approach to one where players may not be fully aware of each other’s beliefs. This 
could be done, e.g. by considering a “choice” variation of “ordered logic programs”[3, 
4,5]. 

Another interesting aspect of theorem 5 is that, in combination with theorem 4, it 
provides a systematic method for the computation of Nash equilibria for (finite) strategic 
games. 
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Corollary 1. For every strategic game G = {N there exists a semi- 
negative datalog program program Fa such that the set of stable models of Fa coincides 
with the set of Nash equilibria of G. 



5 Relationship to Other Approaches and Directions for Further 
Research 

The logical foundations of game theory have been studied for a long time in the confines 
of epistemic logic, see e.g. [ 1 ] for a good overview. However, to the best of our knowledge, 
very little has been done on using logic programming-like formalisms to model game- 
theoretic concepts. 

An important exception is [7] which introduces a formalism called “Independent 
Choice Logic” (ICL) which uses (acyclic) logic programs to deterministically model 
the consequences of choices made by agents. Since choices are external to the logic 
program, [7] restricts the programs further to not only be deterministic (i.e. each choice 
leads to a unique stable model) but also independent in the sense that literals representing 
alternatives may not influence each other, e.g. they may not appear in the head of rules. 
ICL is further extended to reconstruct much of classical game theory and other related 
fields. 

The main difference with our approach is that we do not go outside of the realm of 
logic programming to recover the notion of Nash equilibria. Contrary to ICL, we rely 
on nondeterminism to represent alternatives, and on the properties of stable semantics 
to obtain Nash equilibria. As for the consequences of choices, these are represented in 
choice logic programs, much as they would be in ICL. 

The present paper succeeded in recovering Nash equilibria without adding any fun- 
damentally new features to logic programs (on the contrary, we got rid of negation in 
the body). However, the results are restricted to so-called “pure” equilibria where each 
participant must choose a single response. We would like to extend the formalism furt- 
her to cover, in a similar way, also other game-theoretic notions. E.g. we are presently 
working on extending our approach to represent mixed equilibria (which are probability 
distributions over alternatives) as well. Finally, as mentioned in Sec. 4, using (an ex- 
tension of) ordered logic could simplify the introduction of epistemic features into the 
formalism. 
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Abstract. The modal logic KW with finite temporal frames (i.e. well-founded 
frames) can be used for verifying the properties where system termination is as- 
sumed, such as partial correctness of a system. This paper presents an unification- 
based proof method for the modal logic KW. In order to certify that a formula 
does not have a model of a well-founded frame, it is necessary to examine the 
fact if it has a model, then the model contains infinite transitions. It is, however, 
difficult to examine with unification-based proof methods. This paper introduces 
the concept of non-iterative frames. The satisfiability of a formula in non-iterative 
frames agrees with the one in well-founded frames. The size of the evidence of 
the fact that a formula does not have a model of non-iterative frame is finite. 
Based on this property, we have constructed a unification-based prover to check 
unsatisfiability of a formula in KW. 



1 Introduction 

The modal logic KW, frame of which is restricted to finite temporal structures (i.e. well- 
founded frame), can be used for the verification of properties where system termination 
is assumed, such as partial correctness of a system (e.g. “ the termination of the system 
is always normal termination ”). 

Let us consider the following example of a client server system. Let the server be 
a beer shop and the client be its customer. The specification of the server is “the shop 
serves a beer for the customer’s requesf’. The specifications of the client are “first, the 
customer requests a beer” and “after the customer finish drinking the beer, he becomes 
satisfied or requests one more beer”. The property we want to verify is “if the interaction 
between the shop and its customer terminates, the customer is satisfied”. 

This example can be specified by the logic KW as follows. The specification of 
the server ServerSpec is written as “ □ {Req <>Beer)” and the specification of the client 
ClientSpec is “<}Req AO^Beer ^ (>Satisfied\/ ^Req)”, the property Correctness we will ver- 
ify is “<>Satisfied”. □ and O are modal operators expressing “always” and “sometimes”. 
Req, Beer and Satisfied are propositions expressing “the customer requests the beer”, “the 
shop serves a beer (the customer drinks a beer) ” and “the customer is satisfied ”. We 
can verify the property by proving the formula ServerSpec A ClientSpec Correctness in 
the logic KW. 

We can also verify the property by using temporal logics with frames restricted to 
infinite linear discrete temporal structures (e.g. natural number frame). These logics 
are not so appropriate as KW for this type of specification, because we can omit the 
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formula representing the assumption of system termination. Since the logic KW treats 
the finite temporal structures only, it is sufficient to write the conclusion part of the 
property, i.e. “the system terminates normally” in KW. On the other hand, we have to 
specify the formula representing assumption of system termination (the assumption part 
of the property), i.e. “if the system terminates”, if the infinite linear discrete temporal 
logics are used. For example, to describe the property Correctness in the example using 
the infinite linear discrete temporal logic, we have to write the assumption part “the 
customer does not request forever” like -aCReq <> Satisfied, although ^Satisfied is 
enough for KW. 

Among various methods of proving modal formula) 1] [2] [10][1 1], unification-based 
proof methods [ 1 2] are efficient and have ability of adaptation to the various modal log- 
ics, since the modal unification[9] absorbs a difference of the modal systems. Although 
such provers are adaptable to basic modal logics K,K4,D,D4,T,S4,etc. they do not deal 
with the modal logic KW. 

Resolution methods using the translation from a modal formula into a formula of 
clausal normal form of predicate logic were proposed in [6] and [8]. They have advan- 
tages of making full use of proof strategies in resolution methods of predicate logic. 
They can adapt to the modal logics with first-order definable frames. However, they can 
not deal with the modal logic KW since well-foundedness is not first-order definable. 

Proof methods for the modal logics with first-order undefinable frames are sug- 
gested in [7] and [3]. The method proposed in [7] uses a combination of Hilbert style 
reasoning and semantical reasoning. Although it can deal with the logic KW, it is not so 
efficient because it uses Hilbert style reasoning. On the other hand, the method proposed 
in [3] uses translation from a modal formula into a formula of set theory. Although it 
can adapt to the logic KW, it requires the process of translation. 

In this paper, we present a unification-based resolution method for KW using clausal 
normal form of modal formula. Its special feature is that it does not treat well-founded 
frames directly but uses Herbrand non-iterative frames, introduced in this paper, as a 
basis. A refutation in the method corresponds to showing unsatisfiability in the class 
of the Herbrand non-iterative frames, instead of well-founded frames. The Herbrand 
non-iterative frame is the frame where the same transition never repeats. Intuitively, 
the Herbrand non-iterative frame can be considered well-founded frame since a for- 
mula has only finite number of positive occurrences of O operators, which correspond 
to transitions and the same transition never repeats. The satisfiability of a formula in 
Herbrand non-iterative frames agrees with the one in well-founded frames. In order to 
show that it does not have a model of a well-founded frame, we have to examine the 
fact if a formula has a model then the model should contain infinite transitions. It is, 
however, difficult to examine with unification-based proof methods. The size of the ev- 
idence of the fact that a formula does not have a model of Herbrand non-iterative frame 
is finite. Based on this property, we have constructed a unification-based proof method 
of checking unsatisfiability of a formula in KW. 

This paper is organized as follows. In Sect. 2, we introduce the well-founded frames 
and the modal logic KW. In Sect.3, we define clausal normal form and give the resolu- 
tion method for KW. Section 4 shows the soundness and completeness of the resolution 
method by using Herbrand non-iterative frames. 
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2 Modal Logic KW 

The syntax of the modal logic KW is defined normally [4]. The axiomatic system of 
KW is the system obtained by adding the formula □(□A ^ A) ^ DA as an axiom to 
the system K. Let / be a formula, \~kw f denotes that / is a theorem in KW. 

A frame is a tuple {W,R) and a model is a triple (W,R,V), where W is a set of 
worlds, is a binary relation on W (which is sometimes called reachability relation) 
and V is an assignment which gives a set of worlds to a proposition symbol. 

A well-founded frame (W,R) and a well-founded model (W,R,V) satisfy transitivity 
and well-foundedness. 

Transitivity: Vxyz{xRy AyRz^ xRz) 

Well-foundedness: There is no infinite sequence voviX 2 . . . where xqRxi ,x\Rx 2 , — 

Example 1. Let A be a set of natural numbers and Q be a set of rational numbers, then 
(A, >) is a well-founded frame. Neither (2, >) nor (A, <) is a well-founded frame. 

M,w \= f denotes that a formula / is true at a world w € W in a model M = 
{W,R,V). The truth condition is defined as usual. A formula / is valid (unsatisfi- 
able) in the class of well-founded frames if and only if for every well-founded model 
M = {W,R,V) and for every world w eW, M,w\= f (M,w ^ /). 

The following property holds between the system KW and well-founded frames [4]. 
'^KW f iff / is valid in the class of well-founded frames. 

3 Resolution Method 

In this section, we define the clausal normal form of modal formulas and a unification- 
based resolution method for KW. 



3.1 Labeled Formula, Clausal Normal Form 

We assume that all -■ operators in a formula occur in front of proposition symbols. This 
restriction keeps generality because the following rules can transform any formula to 
an equivalent formula of the form. 

^g) =A ^{f^g) =A ^^g, ^ f, -'Q/^ 

O-/, -O/^D-/. 

Let / be a formula. The formula obtained by assigning different variable-labels to 
each occurrence of □ operator and different constant-labels to each occurrence of O 
operator in / is called labeled formula, denoted by /*. We use as the modal operator 
□ associated with the variable-label x, and as O associated with the constant-label a. 
The formula obtained by distributing modal operators according to the following rules, 
and then transforming to conjunctive normal form is called clausal normal form. We 
write the clausal normal form of / as . 

Ox{f Ag) AOj,g, aj,{fvg)^aj,fvaj,g, 

<>a{fAg)^OafAOag, <>a{f A g) ^ Oaf A Oag 




280 S. Hagihara and N. Yonezaki 



The clausal normal form is a formula of the form 

Ti A . . . A r„ 

where each F, is a formula of the form 

V ... V (Ximl^im 

each Lij is a literal and each a, / is a sequence of modal operators associated with labels. 

Remark 1. Although the formula □ (/ Vg) ^ ( □/ V D^) is not valid in the modal logic 
KW, the rule V^) => V U^g is admissible because common label x is used 
in the labeled formula V Ojcg. The labeled formulas □a:(/ V g) and V Oxg are 
equivalent in Herbrand model defined in Sect.4.1. 

3.2 Resolution Method 

The resolution method is a refutation system. First, we transform a formula / to 
Then we apply the following resolution rules to We say / or is refutable if the 
empty clause J. is derived from f‘^. 

aLvr pZvr' 

1. (a_Lvrvr')'^(“’PZ 

ayLvr pbL'vr 

2. (ayLvrvr')'^(“’W, 

g-L vr 

3. r (there is no □ in a.), 
gyLvr 

4. r (there is no □ in a and there are Os associated with the same constant- 
labels in a.), 

where L and L' , L are literals, L and L are complementary literals, g,p,y and 5 are 
sequences of modal operators associated with labels, o(g,P) is a substitution which 
unifies a and p, and (g_L V F and (ayLVFVF')'^*^"'’^^ are the formulas ob- 
tained by replacing modal operators in g_L VF V F' and ayL VF VF' by the substitution 
o(g,P) respectively. Each substitution is a set of assignments from a modal operator 
□ associated with variable-label to a sequence of labeled modal operators {<>,□}+, 
length of which is more than 0. If the same variable-labels appear in different clauses, 
we deal with them as different variable-labels. 

The resolution rules 1 and 3 are usual rules. The resolution rule 2 is used for re- 
placing a by using a(a,P). The resolution rule 4 is obtained from the characteristic of 
well-founded frames. The rules 1, 2 and 3 are resolution rules for resolution method for 
the modal logic K4, frame of which is restricted to transitive frames. 

Example 2. A refutation of the following formula / is as follows. 



/ : OE A □(-./> V OE V 02) A □-■e 
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The labeled formula /* and the clausal normal form f‘^ are as follows. 

f* : OaP ObP V OcQ) A Dj.-e 

f :OaPA{ a^^p V a^o bP V u^OcQ) a Qy-G 

Figure 1 shows a refutation of 




mlel CT = {Dj:Oc/Qy} 



rule4 



Fig. 1. A refutation of <>P A □ (-iP V <>P V OQ) A □ -\Q 



Example 3. A refutation of the formula g : OP A DOG is as follows, g* and g'^ are 
OqP a DAiOfoG- Figure 2 shows a refutation of g'^ . 




{OaOhl^A 



Fig. 2. A refutation of OP A DOg 
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4 Soundness and Completeness of Resolution Method 

In this section, we show the soundness and the completeness of the resolution method. 
First, we propose Herbrand non-iterative model which can interpret clausal normal 
forms in Sect.4.1. In Sect.4.2, we define a tableau method TJjyfor a labeled formula. 
In Sect.4.3, we show the property that the satisfiability of a formula / in well-founded 
frames agrees with the satisfiability of f‘^ in Herbrand non-iterative frames, and the 
property that the tableau method T|-(yjudges whether a formula is unsatisfiable in the 
class of well-founded frames. In Sect.4.4, we show the soundness of the resolution 
method by using Herbrand non-iterative frames. In Sect.4.5, we show the completeness 
by using the tableau method TJjy . 

4.1 Herbrand Non-iterative Model 

A frame {W,R) is a Herbrand non-iterative frame for /* if the following conditions are 
satisfied: 

(1) VF is a set of terms which consist of the special constant symbol o and unary func- 
tion symbols corresponding to constant labels in /*. For example, let a,b be con- 
stant labels in f*.W is {o^ao,bo,aao,abo,bao,bbo,aaao, . . * 

(2) /? is a reachability relation on W which satisfies transitivity and non-iterativity. 
Transitivity: Vxyz{xRy AyRz ^ xRz) 

Non-iterativity: For every constant label a, 

\fx[xRax A axRaax _L) 

\fxy{xRax A axRy Ay Ray ^ -L) 

Let {W,R) be a Herbrand non-iterative frame and V be an assignment which gives 
a set of worlds to a proposition symbol. We say {W,R,V) is a Herbrand non-iterative 
model. 

The truth condition of a labeled formula is defined by a Herbrand non-iterative 
model HM = (W,R,V) as follows: 

- HM,s\^P AA seV{P), 

- HM,s 1= -.P O 1= P), 

- HM,s\=fAg AA {HM,s\=f)A{HM,s\=g), 

- HM,s\=fVg AA {HM,s\=f)v{HM,s\=g), 

- HM,s \= aj AA ^sRx\/{HM,x \= /), 

- HM,s^Oaf AA sRasA{HM,as^f). 

We write ^ |= / instead of HM,s \= /, when HM is obvious from the context. 

Obviously, a labeled formula /* and its clausal normal form is equivalent in a 
Herbrand non-iterative model. 

Example 4. The labeled formulas Ox{fAg) and V are equivalent in a Herbrand 
non-iterative model as follows. 

^sRxV {x\= {fV g)) 

* In this paper, we omit braekets. we write ao,abo,ay instead of a{o),a[b{o)),a[y). 




Resolution Method for Modal Logic with Well-Founded Frames 283 



-isRx V (x 1= / V X 1= g) 

(-isRx V X 1= /) V (i 1= -isRx V X 1= g) 

■« 1= 

Example 5. The labeled formula g : OaP A V does not have a Herbrand 

non-iterative model. Because, if g is true in a world i in a Herbrand non-iterative model, 
then the following contradiction occurs. (Underlined formulas are used for the deriva- 
tion to the next line.) 

1= OgP A Dj: (-iP V Oi,P) 

^ (5|^<>aP) A (5|^D4^PVOfcP)) 

^ sRas A (as \= P) A (-isRx Ax\= (-iP V ‘0’j,P)) 

sRas A(as |= P) A (-isRxVx \= (-iP VO^R)) A (as |= (-iPV ^hP)) 

^ sRas A (as |= P) A (-isRx \/ x\= (-iP V '^bP)) A (-^(as |= P) V (as \= '^bP)) 

sRas A (as |= P) A (-\sRx \/ x\= (-iP V ObP) ) A (as |= U^P) 

sRas A (as |= P) A (-liPxVx |= (-iP VO^P)) A asRbas A (has |= P) 

sRas A {as \=- P)A (-isRxA x \= ( -iP V OhP)) A asRbas A (has P) A sRbas (transitivity) 
sRas A (as |= P) A (has \= (-iP V <>,(,P) ) A asRbas A (has |= P) A sRbas 
=A sRas A (as |= P) A (-i(bas |= P) V (bas \= 'O'bP) ) A asRbas A (bas |= P) A sRbas 

=A sRas A (as |= P) A (bas |= U^P) A asRbas A (bas |= P) A sRbas 

=A- sRas A (as |= P) A basRbbas A (bbas |= P) A asRbas A (bas |= P) A sRbas 
_L (non-iterativity) 

Original formula of g is actually unsatisfiable in the class of well-founded frames. 

4.2 Tableau Method for Labeled Formula 

In this section, we define the tableau method TJ^^,for a labeled formula. 

In the tableau method TJvT’ assign the singleton of a labeled formula {/*} to 
root node, make a tree by applying the following three expansion rules to the nodes and 
judge the satisfiability of / in the class of well-founded frames according to whether 
the root node is closed or not. We say the tree with the root node assigned to {/*} is 
a tableau of /*. A tableau is said to be closed if its root node is closed. In this paper, 
FS(n) is an abbreviation of the set of formulas to which a node n is assigned. 

ru{/Ag} 

- a-rule: ru{/,^} , 

ru{/vg} 

- p-rule:ru{/} TU{g}, 

\S^xif\ ,■■■ , ^Xnfrt,^aiS\ ,■■■ , '^am8m,h \ , . . . ,/z/} 

- Jt-rule: {/i /i (l<i<m) 

Jt rule generates m sons. 

Let n be a node generated by 7t-rule, n! be the parent node of n, gi e FS(n) and 
€ FS(n'). Then we say n is a,-son of n' . Let n be a node. When n rules are applied 
and generate h,-sons in the expansions from the root node to n successively, we say a 
sequence of labels . . . Ob^ is a path of n. 

A node n is closed if the following conditions are satisfied. 

1. FS(n) has complementary literals, or 
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2. Let be a path of n. For some constant label a and some i, bi = bm = o- 

3. a-rule or P-rule is applied to n and all «’s sons are closed, or 7t-rule is applied to n 
and at least one of n’s sons is closed. 

A node is open if it is not closed. 

Expansions in TJjy terminate in finite steps because a labeled formula has only finite 
labels and Jt-rules cannot generate nodes of the same label iteratively. Therefore, we can 
decide whether the tableau is closed or open. 

Example 6. The T^jy tableau of the formula g : <>aP '^bP) is closed as shown 

in Fig. 3. uj , . . . ,U 9 are nodes, is a-son of H 2 , «6 is h-son of n^, ng is h-son of ng. The 
path of ri 4 is the path of ny is C'a^b, and the path of ng is C’aC’bC’b- «4 and ny are 
closed by condition 1. ng is closed by condition 2. As a result, ni is closed by condition 

3. 



{0,pn,{^pvObP}} «2 

7C-rule 

{p,^PvOi,p,n,{-.pvOhP)} «3 

(3-rule 



{E^P,a^{^pvOi,p)} {p,Oi,pn^{^pvObP)} m 

7C-rule 



{P,^PVOi,P,a,(^PVOi,P)} n, 

(3-rule 

{p^p,a,{-^p\/o^p)} {p,Oi,p,n4(^pvOf,p)} 

7C-rule 

{P,^P\/ObP,U,{-^P\/O^P)} 



Fig.3. T|i^,tableau of OaPAD^(-.PVOhP) 



4.3 Relation between Herbrand Non-iterative Model and Well-Fonnded Model 

Satisfiability of a formula / in the class of well-founded frames coincides with that of 
in the class of Flerbrand non-iterative frames by the following theorem. 

Theorem 1. Let f be a formula and be its clausal normal form, f is unsatisfiable in 
the class of well-founded frames iff f‘^ has no Herbrand non-iterative model. 

Theorem 2 shows that TJjyjudges whether a formula is unsatisfiable in the class of 
well-founded frames or not. 

Theorem 2. The tableau of labeled formula f* is closed iff f is unsatisfiable in 
the class of well-founded frames. 

In order to prove theorem 1, we have to prove lemma 1. The lemma shows that 
TJjy properly judges whether a formula has a Flerbrand non-iterative model. Next, we 
prove theorem 2. Finally, we prove theorem 1 by using lemma 1 and theorem 2. 
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Lemma 1. Let f* be a labeled formula. The T’f^ytableau off* is closed ijf f* has no 
Herbrand non-iterative model. 

(proof of the only-if-part) 

We get a subtree T' from closed T^i^tableau T of /* as follows. 

- The root node of T' is the root node of T . 

- If n is r^’s node to which a-rule is applied, T' includes n’s son n\ . 

- If n is r'’s node to which P-ruIe is applied, T' includes n’s two sons n\,n 2 . 

- If n is r'’s node to which 7t-rule is applied and n' is n’s closed son, T' includes n' . 

We prove the following proposition by induction on the construction of T' . FS[n) 
is an abbreviation of the conjunction of all the formulas in FS[n). 

From the proposition, we automatically get the result. 

Proposition 1. Let nbe a node ofT' and a = . . . <>b^ be a path ofn. Then, aFS{n) 

has no Herbrand non-iterative model. 



C{s ,bib 2 ■■■ bm) is an abbreviation of sRb\s /\b\sRb 2 b\s /\ . . . /\bfn-\ • . .b\Rbmbm-\ ...b\. 



- n is closed by condition 1. Suppose some world i satisfies aFS{n). This contradicts 
the truth condition of a labeled formula as follows. 

i 1= 0cF5(n) => (bm • • • bii 1= L) A . . .b\s \= L^ ^ {bm .. .b\s \= L) A {b^ ■ ■ - b\s ^ 



- n is closed by condition 2. Suppose some world i satisfies aFS{n), 

then, C[s,b\b 2 . . .bm) holds and bm and b, (1 < i < — 1) are the same labels. 

These contradict transitivity or non-iterativity of R. 

- When a-rule or P-rule is applied to n, the proposition holds evidently. 

- 7t-rule is applied to n. FS{n) = , • • • ,<>a,„gm,hi, . . . M}- 

FS{n') = {/i , . . . The path of n' is aO^,-. The induction 

hypothesis is that of>aHS[n') has no Herbrand non-iterative model. 

Suppose some world i satisfies (xFS{n). This contradicts the induction hypothesis 
as fol lows. 
i 1= aFS{n) 

C(i,a) Abm ■ ..bis 1= FS{n) 

a) A i^l\j{bfyi ... hi 5 1= \3x-fj^ A t\j{bm • • . b\S 1= ‘^ajgj'jL /\j bffi . . . 1= /zy j 

( 7 ( 5 , a) A {/\j{~'bm ■ ■ ■ b\sRxj V Xj |= f fj 
A/\j{bm ■ ..bisRbjbm . . .bis Aajbm ■ ■ -bis ^ gj) A /\jbm ■ ■ -bis ^ hj) 

C{s, a) A i/\j{-'bm ...bi sRx'j V ^x'jRxj Vxj ^ffA /\j{~'bm ■ ■ ■ hi sRxj V xj |= fj) 
A{bm ■ ■ ■ bisRaibm ■ ■ ■ b\s Aoibm . . .bii |= A f\jbm ...bis^ hj) 

( 7 ( 5 , a) A i^f\j{~^aibfn . . . b\sRxj Vxy 1^ /}) f\j{aibfn . . . b\s 1= /y) 

A{bm ■ ■ ■ bisRaibm ■ ■ ■ b\s Aaibm ...bis\= gt) 

^ C{s,a) Abm ■ ..bisRoibm .. .b\s A {/\j{-^aibm • . .bisRxjA xj \= fj) 

L. fj) L afbm . . .b\S 1= 

i 1= clO aH S{n') 



(proof of the if -part) 
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We make a Herbrand non-iterative model and its world which satisfies /* from the 
open TJjytableau of /*. 

Since expansions of TJ^^,tableau terminates in finite steps, there exists a finite sub- 
tree T of the tableau of f * such that {/*} is assigned to the root node of T and each 
node n of T is open and satisfies one of the following conditions. 

I. No rules can be applied to n, or 

II. a-rule or P-ruIe is applied to n and n has an open son n! , or 

III. 7t-rule is applied to n, FS{n) = , . . . M} 

and n has open a,-sons Ua^,. .. ,ria^. 

By using the subtree T, we construct the Herbrand non-iterative model {W,R,V) 
which satisfies /*. Vk is defined by the definition of a Herbrand non-iterative model in 
Sect.4.1. In order to define R and V, we assign each node of T to a world in W by the 
following rules. 

- The root node of T is assigned to o. 

- If a-rule or P-ruIe is applied to a node n and n is assigned to a world w, the son of 
n is also assigned to w. 

- If 7t-rule is applied to n and n is assigned to a world w, each a,-son of n is assigned 
to the world a,w respectively. 

R and V are defined as follows. 

- wRw' iff w ^w' and some node assigned to the world w is an ancestor of some 
node assigned to the world w' . 

- w eV{p) iff some node n is assigned to the world w and p € FS{n). 

{W,R) satisfies transitivity and non-iterativity evidently. 

From the following proposition, we automatically get the result. 

Proposition 2. For any node n in T, every labeled formula g G FS{n) is true at the 
world to which n is assigned. 

We prove this proposition by induction on the construction of T. Let n be a node in T, 
vr be a world to which n is assigned. 

1 . n satisfies condition I. 

(a) By the definition of V, it is obvious that for any p (w.r.t —ip ) in FS{n), w G V (p) 
(w.r.t w <fV (/?)). 

(b) Every formula of the form Oxf in FS{n) is true at w because n is a leaf node 
and there is no reachable world from w. 

(c) There is none of / A g,f V g and Oag in FS{n). 

2. n satisfies condition II. 

Let/ Ag (w.r.t. / V^) be a formula to which OC-rule (w.r.t. P-rule) is applied and n' 
be n’s son. Induction hypothesis is that every formula in FS[n') is true at w. 

- f and g (w.r.t. / or are true at w, because the induction hypothesis holds and 
FS[n') contains / and g (w.r.t. / or g). Hence, / Ag (w.r.t/ V g) is true at w. 

- Every formula f besides f Ag (w.r.t fAg) in FS{n) is true at w because the 
induction hypothesis holds and f G FS{n'). 
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3. n satisfies condition III. 

By induction hypothesis, for any n’s descendant n! , every formula in FSin!) is true 
at the world to which n' is assigned. — (*) 

(a) The case of p, —ip in FS{n) is similar to the case la. 

(b) Every formula of the form Oxf in FS{n) is true at w because of the following 
two reasons. 

- For any n’s descendant n', f € FS{n') and the property (*) holds. There- 
fore, / is true at the world to which n' is assigned. 

- Only the worlds to which n’s descendants are assigned are reachable from 
w. 

(c) Every formula of the form Oa^g in FS{n) is true at w because of the following 
two reasons. 

- g <E FS{na^) and the property (*) holds. Therefore, g is true at mw. 

- Haj is a son of n and tia- is assigned to OiW. Hence, a,w is reachable from w. 

(d) FS (n) contains neither f Ag nor / V 

□ 

Next, in order to prove theorem 2, we define a tableau method for KW presented in 
[5]. We call it T/^win this paper. 

In the tableau method Fkw, expansion rules are as follows. 

- a-rule and P-rule are the same rules as defined in the tableau method TJj^, . 

- Jt-rule: {/i D/i ( 1 < i < m) . 

Jt-rule is based on the property that in the well-founded frame if there is a world 
where gi is true, then there exists also a last world where gi is true. 

A node n is closed if n satisfies condition 1 or 3 in the definition of TJjy . 

The following property holds between T/fw^nd well-founded frames: 

/ is unsatisfiable in the class of well-founded frames iff T/^vr tableau of / is closed[5]. 



Now, we prove theorem 2. 

(proof of the only-if-part) 

We show that for any closed TJ^^,tableau of /*, there exists closed T/fu'tableau of 

/■ 

Let r be a closed tableau of /*. We construct a T/^vr tableau of / using the same rule 
as used in the expansion of T . Let T' be the result. Then, for every node n of T, there is 
a corresponding node n' of T' such that FS[n) C FS[n'). 

If n is closed by condition 1, FS{n') also has complementary literals because FS{n) C 
FS[n'). Therefore n' is also closed. 

Suppose n is closed by condition 2, i.e. some constant label a occurs in the path of 
n twice. Then, the following properties hold. 

- Let ii\ be n’s parent. Then, n is a-son of n\, <>ag € FS{n\) and g € FS{n). 

- For some ancestor ri 2 of n, the following property holds. Let be U 2 ’s parent. 
Then, U 2 is a-son of ns, <>ag € FS{n 2 ,) and g £ FS{n 2 ). 
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Let n' ,n\,n' 2 ,n'^ be nodes in T' corresponding to n,ii\,n 2 ,n^ in T respectively. Then, 
€ FS{ri 2 ) holds because is n^’s son expanded by 7t-rule. Hence, € FS{n[) 
and -ig € FS{n').Flow, g € FSin') holds since g € FSin) and FSin) C FSin'). Hence, 
n! is also closed. 

T/fH/ tableau have the same condition 3 as tableau. Hence, T' is closed. 

(proof of the if-part) 

The Herbrand non-iterative model generated in the proof of the if-part of lemma 
1 is a well-founded model because it satisfies well-foundedness. Moreover, it satisfies 
/. Hence, for any open TJj,, tab lean of /*, there exists a well-founded model which 
satisfies /. □ 

By lemma 1 and theorem 2, a formula / is unsatisfiable in the class of well-founded 
frames if and only if the labeled formula f * does not have a Herbrand non-iterative 
model. Moreover, f* and clausal normal form f‘^ are equivalent in the Herbrand non- 
iterative model. Hence, theorem 1 holds. □ 

4.4 Soundness of Resolution Method 

Theorem 3. If a formula f is refutable, then f is unsatisfiable in the class of well- 
founded frames. 

Proof. By theorem 1, it is enough to show that for every resolution rule, if the premises 
is true in a world in a Herbrand non-iterative model, then the conclusion is also true. 

Let r be a\L\ V ... V (XmFm and y be a sequence of modal operators with labels. 
Then, we use yL as an abbreviation of yajLi V ... V ya^Lm. 
resolution rulel 

By induction on the construction of the unification, we show that if (clL V T^ A (PLV 
T') is true in a world in a Herbrand non-iterative model, then (a_L V T vr')*^ is also true. 

- In the case of the unification of two empty sequences, immediate from the fact 

5 |=((LvT)A(Lvr')) (Tvrvr') . 

- In the case of the unification of 0^:002 and yP 2 , by induction on the length of y, we 
show that if (OxCi.2L'V □;cri VT 2 ) A (y(J 2 LVyrj VT^) is true in a world i of a Herbrand 
non-iterative model, then (□^a2_L VDj:ri VT2 VyTj \/T2)^tl°f'^' is also true in i. 

• The length of y is 1 . 

IfyisOa, 

5 1= ((D;,a2LVDJi VT2) A(0«P2LV0«r' VT^) 

AA ((-isRx'V (x 1 = CL2P)) (~'sRxV (x 1 = Ti)) V (i 1 = T2)) a ((sRas A (as |= P2L)) V 
(sRas A (as |= Tj )) V (s |= I^)) 

^ (sRasA(as^ ((a2L V Ti) A (P2L ATj)))) V (i |= T2) V (i |= T^) •••(+) . 

By induction hypothesis, as |= ((a 2 LVTi) A (P 2 LVT[)) ^ as \= (a 2 -LVTi VTj)'’' 

Hence, (+) (sRas Aas \= (a 2 -Lvr iVT[)'^)V(i|=r 2 )V(i|=r 2 )=^.s|= (□j;CX. 2 -LV 
□xTivo^r'i vT2vr^f«/°-^'’'. 

Similarly, we can show a proof of the case that y is Dj.. 

• The length of y is ^ > 1 . 
ifyisOflY, 

i 1= ((□;ca2LvDji vr2)A(Oayp2LvOflyr'i vr^) 
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[[-isRxV (x \= CX.2L)) V (-liRx V (x 1 = Fi)) V (i |= F2)) A [(sRas A (^as \= yP2L)) V 
(sRas A (as |= yFj )) V (s |= F^)) 

^ ((-isRx' V V (x 1 = OaL)) V (-isRx' V -ix'Rx V (x 1 = Fi )) V 1 = F2)) A ( (sRas A 
(C5 1 = yP2L)) V (sRas A (as |= yF';)) V (i ^ F^) 

^ (sRasAas |= ((nj:a2L V Dj:Fi) A (y^F vyF'j))) V (i |= F2) V (5 |= F^ •••(+)■ 

By induction hypothesis, as \= ((D;ca2Lvaj:Fi)A(yp2LvyFj)) ^as \= (Dj:a2-LV 
vyF')t'/°-'''^' . 

Hence, (+) ^ (sRasAas (= (Dj:a2-L V Dj:Fi vyFj)t^/°»^'’') V (s |= F2) V (s |= F^ ^ 
. H (□,a2±VD,Fi VO.yF'i VFyO‘-T^/°- '’' . 

Similarly, We can show a proof of the case that y is OyY. 

- we can prove the case of the unification of Oa(X2 and Oa^2 similarly. 

resolution rule 2 , resolution ruleS 

We can show the proof in the case of the resolution rule 2 in the same way as used 
in the proof in the case of resolution rulel . The proof in the case of the resolution rule 3 
is trivial. 
resolution rule 4 

Suppose that there exists a Herbrand non-iterative model and its world i in which 
ayL is true, where a is O^j • ••<>«„ and a, and Uj are the same labels for some i,j. 
Then, a,_i . . .aisRoiOi-i . . .ais must hold for any i (1 < i < m). Therefore, one of the 
following is satisfied by transitivity of reachability of the worlds in the Herbrand non- 
iterative model. 

- i = j — I and a,_i . . . a\sRui . . . a\s Aaj-\ . . .aisRaj . . .ais 

- i> j — I and a,_i . . . a\sRai . . ,a\s Aai . . . a\sRaj-\ . . ,a\s Aaj-\ . . .aisRoj . . .ais 

However, both cannot hold because of non-iterativity of reaehability of the worlds in 
the Herbrand non-iterative model. Hence, there is no world i in Herbrand non-iterative 
model where ajL is true. Therefore, if ajL V F is true in a world in a Herbrand non- 
iterative model, then F is true. □ 



4.5 Completeness of Resolution Method 

Theorem 4. If a formula f is unsatisfiable in the class of well-founded frames, then f 
is refutable. 

Proof. By theorem 2 , it is enough to show that is refutable if T^jy tableau of /* is 
closed. 

We get a subtree T' from closed T^^^, tableau T of /* by the same way as used in 
the proof of the only-if-part of lemma 1 . We shall prove the following proposition by 
induction on the construction of T' . From this proposition, we automatically get the 
result. 

Proposition 3. Let nbe a node ofT' and (Xbe a path ofn. Then, (xFS(n) is refutable. 

- n is closed by condition 1 . Since L,L € FS(n), there are clauses (XL and (XL in the 
clausal normal form ((xFS(n)Y . Hence, we can refute it by the resolution rules 1 
and 3 . 
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- n is closed by condition 2. Let be {FS{n)y. Then, [aFS{n)Y is 

f\j\j . We choose a clause T = \J from {aFS{n)y. We can 
refute F by applying the resolution ruled m times. 

- When a-rule or P-rule is applied to n, the proposition holds evidently. 

- Jt-rule is applied to n. Let ,a^Jn,Oa^gu ■ ■ ■ ,<>a„gm, hi,... ,h^,} be 

FS{n) andn/ be n’s a/-son. ThenF5(«/) is {/i,... ,f„,UyJi,. .. ,UyJ „,gi]. 

Let AjS/kl'i'^Lf be and Aj\/i<k<kijifi^'f be g^ Then, (aFS(n)y is 
A 1 <i<n A j Vi: f\l<i<m f\jM l <k<kij Y Y A | /j? 

and {aOa,FS{ni)y is 

^l<i<n ^j Vi ccO«,#Lf A Ai<K„ ^j Vi aOa, A Vi <i<i,, aOa,yy Lf. 

Induction hypothesis is that (aOa,F5'(n/))'^ is refutable. 

Then, we can refute A = Ai<;<„ AyViOCLI^T/^Lf A AjVi<i<i,^.0cOa,ffL'f as 
follows. 

1. We deduce the clause Vi0cOa,7^^L/^ for any i,j from A. We can deduce it by 
applying the resolution rule2 to the clauses Vi«.0^./7-^LA and Vi<i<i„ 

with the substitution {Oa,/LI^ } hi times for any i,j. 

2 . We obtained the clauses f\j\l k^"^ af^j^Fy at 1. Therefore, we refute 

r=Ai<,<„AiVi«o,,YVAA 

= Ai<k„ Ai Vi«^«,YV A Ai<i<« Ai Vi«D,/#Lf A A,- ^Oa,iyLf as 

follows. 

We define the relation ^ between the clause which appears in the refutation of 
{(xC'ainiy and the clause which appears in the refutation of F and define type 
of a clause as follows. 



type 


clause in {aOa,niy 


> 


clause in F 


A 


k 


> 


k 


B 


yaOaPy^iyiy 

k 


> 


VaD^fLf 

k 


A 


\faO.,ifLf 

k 


> 


\faO.,ifLf 

k 



Fi F2 L'l 

F3 > r3 if Fi > F' ,F2 > F^ and F3 , r3 . 

For any resolution rules, 

• if there is a premise of type A, the conclusion has type A, and 

• if all the premises have type B, the conclusion has type B. 

We can refute F by using the corresponding clauses as used in the refutation of 
{nOaitiiy. Let o be a substitution used by the resolution rulel or the resolution 
rule2 in the refutation of (ocOa,n/)‘^. Then, we use the following substitution o' 
in the refutation of F. 

• The resolution rule applied to clauses of type B 

o' = (the substitution by replacing □ ; with □ , in a) 

y'i 

• The resolution rule applied to clause of type B and clause of type A 

a' = (a-{p/D,})u{0 ,,p/D^} 

'1 
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• The resolution rule applied to clauses of type A 

o' = o 

Now, each clause in A appears in [aFS{n)Y. Therefore, {aFS{n)Y is refutable. 

□ 



5 Conclusion 

In this paper, we have introduced Herbrand non-iterative frames and constructed an 
unification-based prover which checks unsatisfiability of the modal logic KW. The sat- 
isfiability of a labeled formula in the Herbrand non-iterative frames coincides with the 
one of its original formula in the well-founded frames. 

The main idea introduced in this paper is that the restriction on frames with infinite 
sequence of reachable worlds can be reformed into the restriction on Herbrand frames 
with iterations of the transition. Many temporal structures, such as time structure iso- 
morphic to the natural number’s structure, satisfy the restrictions on infinite sequences 
of reachable worlds. Therefore, the idea is applicable to many temporal structures, and 
unification-based resolution method can be adapted to wider range of (and more practi- 
cal system of) modal logic. 
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Abstract. We examine the complexity and expressivity of the combi- 
nation of the Description Logic ACCQL with a terminological formalism 
based on cardinality restrictions on concepts. This combination can na- 
turally be embedded into (? , the two variable fragment of predicate logic 
with counting quantifiers. We prove that AC.C QX has the same comple- 
xity as (? but does not reach its expressive power. 

Keywords. Description Logic, Counting, Complexity, Expressivity 



1 Introduction 

Description Logic (DL) systems can be used in knowledge based systems to 
represent and reason about taxonomical knowledge of problem domain in a se- 
mantically well-defined manner [WS92]. These systems usually consist at least 
of the following three components: a DL, a terminological component, and a 
reasoning service. 

Description logics allow the definition of complex concepts (unary predicates) 
and roles (binary relations) to be built from atomic ones by the application of 
a given set of constructors; for example the following concept describes those 
fathers having at least two daughters: 

Parent El Male El (> 2 hasChild Female) 

The terminological component (TBox) allows for the organisation of defined 
concepts and roles. The TBox formalisms studied in the DL context range from 
weak ones allowing only for the introduction of abbreviations for complex con- 
cepts, over TBoxes capable of expressing various forms of axioms, to cardinality 
restrictions that can express restrictions on the number of elements a concept 
may have. Consider the following three TBox expressions: 

BusyParent = Parent El (> 2 hasChild Toddler) 

Male U Female = Person El (= 2 hasChild^^ Parent) 

(< 2PersonEl(< 0 hasChild^^ Parent)) 
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The first introduces BusyParent as an abbreviation for a more complex concept, 
the second is an axiom stating that Male and Female are exactly those persons 
having two parents, the third is a cardinality restriction expressing that in the 
domain of discourse there are at most two earliest ancestors. 

The reasoning service performs task like subsumption or consistency test for 
the knowledge stored in the TBox. There exist sound and complete algorithms 
for reasoning in a large number of DLs and different TBox formalisms that 
meet the known worst-case complexity of these problems (see [DLNN97] for an 
overview). Generally, reasoning for DLs can be performed in four different ways: 

— by structural comparison of syntactical normal forms of concepts [BPS94]. 

— by tableaux algorithms that are hand-tailored to suit the necessities of the 
operators used to form the DL and the TBox formalism. Initially, these algo- 
rithms were designed to decide inference problems only for the DL without 
taking into account TBoxes, but it is possible to generalise these algorithms 
to deal with different TBox formalisms. Most DLs handled this way are at 
most P Space complete but additional complexity may arise from the TBox. 
The complexity of the tableaux approach usually meets the known worst-case 
complexity of the problem [SSS9f,DLNN97]. 

— by perceiving the DL as a (fragment of a) modal logic such as PDL [GL96]; for 
many DLs handled in this manner already concept satisfiability is ExpTime- 
complete, but axioms can be “internalised” [Baa9f] into the concepts and 
hence do not increase the complexity. 

— by translation of the problem into a fragment or first order other logic with 
a decidable decision problem [Bor96,OSH96]. 

From the fragments of predicate logic that are studied in the second context, 
only , the two variable fragment of first order predicate logic augmented with 
counting quantifiers, is capable of dealing with counting expressions that are 
commonly used in DLs; similarly it is able to express cardinality restrictions. 
Another thing that comes “for free” when translating DLs into first order logic 
is the ability to deal with inverse roles. 

Combining all these parts into a single DL, one obtains the DL ACCQX — the 
well-known DL ACC [SSS91] augmented by qualifying number restrictions (Q) 
and inverse roles (X). In this work we study both complexity and expressivity of 
ACCQX combined with TBoxes based on cardinality restrictions. 

Regarding the complexity we show that ACC QX with cardinality restrictions 
already is NExpTlMEXhard and hence has the same complexity as [PST97]^. 
To our knowledge this is the first DL for which NExpTiME-completeness has 
formally been proved. Since ACCQX with TBoxes consisting of axioms is still in 
ExpTime, this indicates that cardinality restrictions are algorithmically hard to 
handle. 

^ The NExpTiME-result is valid only if we assume unary coding of numbers in the 
counting quantifiers. This is the standard assumption made by most results concer- 
ning the complexity of DLs. 
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Despite the fact that both ACCQI and have the same worst-case comple- 
xity we show that ACCQI lacks some of the expressive power of (7^. Properties 
of binary predicates (e.g. reflexivity) that are easily expressible in (7^ can not be 
expressed in ACCQI. We establish our result by giving an Ehrenfeucht-Frai'sse 
game that exactly captures the expressivity of ACCQI with cardinality restric- 
tions. This is the first time in the area of DL that a game-theoretic characte- 
risation is used to prove an expressivity result involving TBox formalisms. The 
game as it is presented here is not only applicable to ACCQI with cardinality 
restrictions; straightforward modifications make it applicable to both ACCQ as 
well as to weaker TBox formalisms such as terminological axioms. 

In [Bor96] a DL is presented that has the same expressivity as (7^. This 
expressivity result is one of the main results of that paper and the DL combi- 
nes a large number of constructs; the paper does not study the computational 
complexity of the presented logics. Our motivation is of a different nature: we 
study the complexity and expressivity of a DL consisting of only a minimal set 
of constructs that seem sensible when a reduction of that DL to (7^ is to be 
considered. 

2 The Logic A.CCQX 

Definition 1. A signature is a pair t = where Nq is a finite set of 

concepts names and Nr is a finite set of role names. Concepts in ACCQI are 
huilt inductively from, these using the following rules: All A € Nc are concepts, 
and, if C , Ci, and C 2 are concepts, then also ->C, Ci 71(72, and (> n S C) 
with n € N, and S = R or S = for some R € Nr are concepts. We 
define (7i U C 2 as an abbreviation for -i(-i(7i 71 -'(72) and (< n S C) as an 
abbreviation for -i(> (n+ 1) S (7). We also use (= n S C) as an abbreviation 
for (< n S' (7) n(> n S (7). 

A cardinality restriction of ACCQI is an expression of the form {>nC) or 
{< n C) where C is a concept and n € N; a TBox T of ACC QX is a finite set 
of cardinality restrictions. 

The semantics of a concept is defined relative to an interpretation I = 
[A^,C), which consists of a domain and, a, valuation (-^) which, maps each 
concept name A to a, subset JQ of AQ and each role name R to a subset RA of 
AQ X AA . This valuation is inductively extended to arbitrary concept definitions 
using the following rules, where fjM denotes the cardinality of a set M : 

:= A^\C^, ((7iH( 72)^ :=(7f 71(7^, 

[> n R (7)^ := {a € AA \ € AA \ (a, b) <E lA Ah <E C^} > n], 

(> n R^^ (7)^ := {a,eAA\ e AA \ {h,a,) e dA Ah e C^} > n}. 

An interpretation I satisfies a cardinality restriction (> n (7) iff A A) — 
and it satisfies (< n (7) iff — n. It satisfies a TBox T iff it satisfies all 

cardinality restrictions in T; in this case, I is called a model of T and we will 
denote this fact by I \=T. A TBox th,a,t has a model is called consistent. 
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X^{A) 


= Ax for A € Nc 




= -'F,(G) 


!F.(GinG2) 


= !F.(Gi)A!F.(G2) 


X4> nRC) 


= 3^^y.{Rxy^Xy{C)) 


nR-^ C) 


= 3^^y.{Ryx ^Xy{C)) 


!F(ix] n C) 


= 3^^x.X.^(C) for IX] € {>,<} 


XifC) 


= n G) (m n C) e T} 



Fig. 1. The translation from ACC QCL into (7^ adopted from [Bor96] 



With ACCQ we denote the fragment of ACCQX tha,t does not contain a,ny 
inverse roles . 

TBoxes consisting of cardinality restrictions have first been studied for the DL 
ACCQ in [BBH96], They can express terminological axioms of the form C = D 
that are the most expressive TBox formalisms usually studied in the DL context 
[GL96] as follows: obviously, two concepts (7, D have the same extension in an 
interpretation iff it satisfies the cardinality restriction (< 0 (C'n-'D) U {—iCnD)). 
One standard inference service for DL systems is satisfiability of a concept C 
with respect to a TBox T (i.e., is there an interpretation I such that I \=T and 
(7^ 7^ 0)- For a TBox formalism based on cardinality restrictions this is easily 
reduced to TBox consistency, because obviously (7 is satisfiable with respect to 
7' iff 7'U {(> 1 (7)} is a consistent TBox. To this the reason we will restrict 
our attention to TBox consistency; other standard inferences such as concept 
subsumption can be reduced to consistency as well. 

Until now there does not exist a tableaux based decision procedure for 
ACCQX TBox consistency. Nevertheless this problem can be decided with the 
help of a well-known translation of TlUCQT-TBoxes to (7^ [Bor96] given in Fig. 1. 
The logic (7^ is fragment of predicate logic that allows only two variables but is 
enriched with counting quantifiers of the form 3-7 The translation X yields a 
satisfiable sentence of (7^ if and only if the translated TBox is consistent. Since 
the translation from ACCQX to (7^ can be performed in linear time, the NEx- 
pTime upper bound [GOR97,PST97] for satisfiability of directly carries over 
to ACCQX-CMoy. consistency: 

Lemma 1. Consistency of an ACCQX-TBox T can be decided in NExpTime. 

Please note that the NExpTiME-completeness result from [PST97] is only 
valid if we assume unary coding of numbers in the input; this implies that a large 
number like 1000 may not be stored in logarithmic space in some fc-ary repre- 
sentation but consumes 1000 units of storage. This is the standard assumption 
made by most results concerning the complexity of DLs. We will come back to 
this issue later in this paper. 
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3 ,4/ICQX Is NExpTime-Complete 

To show that NExpTime is also the lower bound for the complexity of TBox 
consistency we use a bounded version of the domino problem. Domino problems 
[Wan63,Ber66] have successfully been employed to establish undecidability and 
complexity results for various description and modal logics [Spa93,BS99], 

3.1 Domino Systems 

Definition 2. For an, n G N let denote the set {0, . . . , n — 1} and ©„ denote 
the addition modulo n. A domino system is a triple T> = V), where D 

is a finite set ( of tiles ) and H,V C D X D are relations expressing horizontal 
and vertical compatibility constraints between the tiles. For s,t G N let U[s,t) 
be the torus Zg x Z^ and w = Wq, . . . , be an n-tuple of tiles (with n < s). 

We say that T> tiles U[s,t) with initial condition w iff there exists a mapping 
T : U[s,t) D such that, for all [x,y) G U[s,t), 

— ifr[x,y) = d and t[x ©g l,y) = d' then [d,d') G H (horizontal constraint); 

— ifr[x,y) = d and r[x,y tBt 1) = d' then [d,d') G V (vertical constraint); 

— r(i,0) = Wi for 0 < i < n (initial condition). 

Bounded domino systems are capable of expressing the computational beha- 
viour of restricted, so called simple, Turing Machines (TM). This restriction is 
non-essential in the following sense: Every language accepted in time T[n) and 
space S[n) by some one-tape TM is accepted within the same time and space 
bounds by a simple TM, as long as S[n),T[n) > 2n [BGG97]. 

Theorem 1 ([BGG97], Theorem 6.1.2). Let M be a simple TM with input 
alphabet F. Then there exists a domino system T> = [D, H, V) and a linear time 
reduction which takes a,ny input x G F* to a word w G D* with \x\ = |w| such 
that 

— If M accepts x in time to with space so, then T> tiles U[s,t) with initial 
condition w for all s > Sq + 2, t > to + 2; 

— if M does not accept x, then T> does not tile U {s,t) with initial condition w 
for any s,t> 2. 

Corollrtry 1. Let M be a (w.l.o.g. simple) non- deterministic TM with time- 
(and hence space-) bound 2”'* (d constant) deciding an arbitrary NExpTime- 
complete language C[M) over the alphabet F . LetT> be the according domino sy- 
stem and and trans the reduction from Theorem 1. The following is a NExpTime- 
hard problem: 

Given an initial condition w = Wo, ■ ■ ■ of length n. Does D tile 

1/(2” +^,2” +^) with initial condition w? 

Proof. The function trans is a linear reduction from C[M ) to the problem above: 
For V e F* with |p| = n it holds that v G C[M) iff M accepts v in time and 
space 2l"l'* iff V tiles (7(2"'*+^, 2"'*+^) with initial condition transfv). □ 
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3.2 Defining a Torus of Exponential Size 

Just as defining infinite grids is the key problem in proving undecidability by 
reduction of unbounded domino problems, defining a torus of exponential size is 
the key to obtaining a NExpTlMELcompleteness proof by reduction of bounded 
domino problems. 

To be able to apply Corollary 1 to TBox consistency for ACCQX we must 
characterise the torus 1j2^ X Z 2 '» with a TBox of polynomial size. To characterise 
this torus we will use 2n concepts Aq, . . . , and Toj • • • j where Aj 

codes the ith bit of the binary representation of the X-coordinate of an element 
a: 

For an interpretation T and an element a € we define pos[a) by 

( n— 1 n— 1 \ 

Xi •2*', j/i • 2* I , where 

i=0 i=o / 

Jo, ifa^Af Jo, 

Xi=< Vi = \ 

I 1, otherwise I 1, otherwise 

We use a well-known characterisation of binary addition (e.g. [BGG97]) to 
relate the positions of the elements in the torus: 

Lemma 2. Letx,x' be natural numbers with binary representations 

n—1 n—1 

X = Xi ■ 2* and x' = xi -2*. 

•i=0 ^=0 

This implies: 

n—1 k—1 

x' = X + 1 (mod 2”) ijf ^ Xj = 1) ^ [x^ = 1 x(, = 0) 

A:=0 j=0 
n—1 k—1 

A A ( V Xj = 0) ^ {Xk = x(,) 

A:=0 j=0 

where the empty conjunction and disjunction are interpreted as true and false 
respectively. 

We define the TBox to consist of the following cardinality restrictions: 

(V (> 1 ea,stT)), (V (> 1 northT)), 

(V (= 1 east^^ T)), (V (= 1 northT^ T)), 

(A 1 C'(0,0)); (A 1 (A 1 C'(2'i-l,2'*-l)); (V T> east D north) ^ 

where we use the following abbreviations: the expression (V G) is an abbre- 
viation for the cardinality restriction (< 0 -■C'), the concept \/R.C stands for 
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(< OR —iC), and T stands for an arbitrary concept that is satisfied in all 
interpretations (e.g. AU->A). 

The concept ^^( 0 , 0 ) is satisfied by all elements a of the domain for which 
pos[a) = (0,0) holds. C'( 2 '‘-i, 2 '‘-i) is a similar concept, which is satisfied if 
po5(a) = (2"- 1,2"- 1): 

71—1 71—1 71—1 71—1 

a(0,0) = n C(2._1,2^_1) =f\Xknf\Yk. 

k=0 k=0 k=0 k=0 

The concept Deast (resp. Dnorth) enforces that along the role east (resp. north) 
the value of xpos (resp. ypos) increases by one while the value of ypos (resp. xpos) 
stays the same. They exactly resemble the formula from Lemma 2: 

71—1 k — 1 

east H(n ^j') — ^ ^ n — )■ \f 

k=0 j=0 
71—1 A;— 1 

nRTJ — y — y ddst.Xk) n — y ddst.~tXk')') 

k=0 j=0 

71—1 

n I I ((Tt \/east.Yk) n {—lYk — t Yeast.—^Yk)). 

k=0 

The concept Dnorth is similar to Deast where the role north has been substituted 
for east and variables Xi and 7) have been swapped. 

The following lemma is a consequence of the definition of pos and Lemma 2. 

Lemma 3. Let I = (A^, Y) f)e an interpretation and a,b <E A^ . 

(a, b) G easY and a G D^st implies: xpos[b) = xpos[a) + 1 (mod 2") 

ypos[b) = ypos[a) 

(a, 6) G northk and a G implies: xpos)b) = x:pos[a) 

ypos[b) = ypos[a) + 1 (mod 2") 

The TBox defines a torus of exponential size in the following sense: 

Lemma 4. Let Tn be the TBox as introduced above. Let X = [A^,Y) he an 
interpretation such that I \= Tn- This implies 

{A^,easf,north^) = ((7(2", 2"), S'!, S' 2 ) 

where (7(2", 2") is the torus x and S'!, S '2 are the horizontal and vertical 
successor relations on the torus. 

Proof. We will only sketch the proof of this lemma. It is established by showing 
that the function pos is an isomorphism from AY to (7(2", 2"). That pos is a 
homomorphism follows immediately from Lemma 3. Injectivity of pos is esta- 
blished by showing that each element (x,y) G (7(2", 2") is the image of at most 
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one element of by induction over the Manhattan distance of (x, y) to the up- 
per right corner (2" — 1,2" — 1) of the torus. The base case is trivially satisfied 
because contains the cardinality restrictions (< 1 C'( 2 fi-i, 2 'i-i))- The induc- 
tion step follows from the fact that each element a € has exactly one east- 
and north-predecessor (since (V (= 1 easA^ T)),(V (= 1 norih^^ T)) € Tn) and 
Lemma 3. Surjectivity is established similarly starting from the corner (0,0). □ 

It is interesting to note that we need inverse roles only to guarantee that pos is 
injective. The same can be achieved by adding the cardinality restriction (< (2" • 
2") T) to Tn, from which the injectivity of pos follows from its surjectivity and 
simple cardinality considerations. Of course the size of this cardinality restriction 
would only be polynomial in n if we allow binary coding of numbers. Also note 
that we have made explicit use of the special expressive power of cardinality 
restrictions by stating that, in any model of Tn, the extension of C'( 2 '‘-i, 2 '‘-i) 
must have at most one element. This can not be expressed with a TBox consisting 
of terminological axioms. 

3.3 Reducing Domino Problems to TBox Consistency 

Once Lemma 4 has been proved, it is easy to reduce the bounded domino problem 
to TBox consistency. We use the standard reduction that has been applied in 
the DL context, e.g., in [BS99]. 

Lemma 5. LetT> = [D,V,H) be a domino system. Let w = Wq, ■ ■ ■ , Wn-i € D* . 
There is a TBox T[n,T>,w) such that: 

— T[n,T>,w) is consistent iffT> tiles (7(2", 2") with initial condition w. 

— T[n,T>,w) can he computed in time polynomial in n. 

Proof. We define T[n,T>,w) := Tn U Tv U 'If, where 'If is defined as above, 
'Tv captures the vertical and horizontal compatibility constraints of the domino 
system T>, and 'If enforces the initial condition. We use an atomic concept Cd 
for each tile d £ D. 'Tv consists of the following cardinality restrictions: 

n n 

deD dev d'eD\{d} 

{f []{Dd^ {feast. LI Cv))), (vfl {Dd — t (ft north. U 

deD {d,d')eH deD {d,d')eV 

Tw consists of the cardinality restrictions 



{f {^(0,0) . . . , (V (C'(n-iy) — ^ ) 

where, for each x,y, is a concept that is satisfied by an element a iff 

pos{a) = {x,y), similar to C'j'oy) and C'( 2 '‘-i, 2 '‘-i)- 

From the definition oi'T{n,T>,w) and Theorem 4, it follows that each model 
of 'T{n,T>,w) immediately induces a tiling of U (2", 2") and vice versa. Also, for 
a fixed domino system T>, 'T[n,T>,w) is obviously polynomially computable. □ 
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The next theorem is an immediate consequence of Lemma 5 and Corollary 1: 

Theorem 2. Consistency of ALCQX-TBoxes is NExpTlME-/iard, even if un- 
ary coding of numbers is used in the input. 

Recalling the note below Lemma 4, we see that the same argument also 
applies to ACCQ if we allow binary coding of numbers. 

Corollriry 2. Consistency of ALCQ-T Boxes is NExpTlME-/iard, if binary co- 
ding is used to represent numbers in cardinality restrictions. 

Note that for unary coding we needed both inverse roles and cardinality re- 
strictions for the reduction. This is consistent with the fact that satisfiability for 
ACCQX concepts with respect to TBoxes consisting of terminological axioms is 
still in ExpTime, which can be shown by a reduction to Converse-PDL [GM99]. 
This shows that cardinality restrictions on concepts are an additional source of 
complexity; one reason for this might be that ACCQX with cardinality restric- 
tions no longer has a tree-model property in the modal logic sense. 



4 Expressiveness of A.CCQI 

Since reasoning for ACCQX has the same (worst-case) complexity as for (7^, 
naturally the question arises how the two logics are related with respect to their 
expressivity. We show that ACCQfX is strictly less expressive than (7^. 

4.1 A Definition of Expressiveness 

There are different approaches to define the expressivity of Description Logics 
[Baa96,Bor96,AdR98], but only the one presented in [Baa96] is capable of hand- 
ling TBoxes. We will use a definition that is equivalent to the one given in [Baa96] 
restricted to a special case. R bases the notion of expressivity on the classes of 
interpretations definable by a sentence (or TBox). 

Definition 3. Let r = (Nc,Nr) be a finite signature. A class C of r-interpre- 
tations is called characterisable by a logic C iff there is a sentence cpc over t 
such tha,t C = {X \X \= p>c}. 

The class C is called projectively characterisable iff there is a sentence Lpf 
over a signature t' X t such that C = {I|r | X \= 'pf}, where X\r denotes the 
T -reduct ofX. 

A logic Cl is called, as expressive as another logic C2 (Ci > C2) iff, for a,ny 
finite signature t , any C2- characterisable class C can be projectively characterised 
in Cl. 

Since (7^ is usually restricted to a relational signature with relation symbols 
of arity at most two, this definition is appropriate to relate the expressiveness 
of ACCQX and (7^. It is worth noting that ACCQX is strictly more expressive 
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than ACCQ, because ACCQ has the finite model property [BBH96], while the 
following ACCQX TBox has no finite models: 

^i’inf = {(V(> lifT)),(V(< lif-^T)),(> 1 (= OR-^T))}. 

The first cardinality restriction requires an outgoing R-edge for every element 
of a model and thus each i?-path in the model in infinite. The second and third 
restriction require the existence of an ii-path in the model that contains no cycle, 
which implies the existence of infinitely many elements in the model. Since ACCQ 
has the finite model property, the class Cinf •= | I |= TInf}, which contains 

only models with infinitely many elements, can not be projectively characterised 
by an ^£CQ-TBox. 

The translation W from ACCQX- CMoyjss to (7^ sentences given in Fig. 1 not 
only preserves satisfiability, but the translation also has exactly the same models 
as the initial TBox. This implies that ACCQX < (7^. 



4.2 A Game for A.CCQX 

Usually, the separation of two logics with respect to their expressivity is a hard 
task and not as easily accomplished as we have just done with ACCQ and 
ACCQX- Even for logics of very restricted expressivity, proofs of separation re- 
sults may become involved and complex [Baa96] and usually require a detailed 
analysis of the classes of models a logic is able to characterise. Valuable tools 
for these analyses are Ehrenfeucht-Fra'isse games. In this section we present an 
Ehrenfeucht-Fraisse game that exactly captures the expressivity of ACCQX- 

Definition 4. For an ACCQX concept C , the role depth rd[C) counts the maxi- 
mum number of nested cardinality restrictions. Formally we define rd as follows: 

rdf A) := 0 for A e Nc 
rdf^C) := rdfC) 

rd(Ci n (72) := max\rd(Ci), rd{C 2 )} 
rdf> n RC):= 1+rdfC) 

The setCff is defined to consist of exactly those ACCQX concepts tha,t have a 
role depth of at most rn, and in which the numbers appearing in number restric- 
tions are bounded, by n; the set is defined to consist of all ACCQX-TBoxes 
T that contain only cardinality restrictions of the form (ixi k (7) with k <n and 

CeCZ- 

Two interpretations X and J are called n-m-equivalent (I=f^J) iff, for all 
TBoxes T in CX, 'd holds that X \= T iff X \= T. Similarly, for x € CX and 
y € we say that I, x and, J ,y are n-m-equivalent (X, x =X J,y) iff, for all 
C € CX it holds that, x € iff U & , 

Two elements x € AX and y € are called locally equivalent (I, x =i 
J,y), iff for all A € Nc: x e A^ iffy e A^ . 
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Note that, since we assume r to be finite, there are only finitely many pairwise 
inequivalent concepts in each class 

We will now define an Ehrenfeucht-Fraisse game for ACCQI to capture the 
expressivity of concepts in the classes The game is played by two players. 
Player I is called the spoiler while Player II is called the duplicator. The spoiler’s 
aim is to prove two structures not to be n-m-equivalent, while Player II tries 
to prove the contrary. The game consists of a number of rounds in which the 
players move pebbles on the elements of the two structures. 

Definition 5. Let A be a nonempty set. Let x he an element of A and X a 
subset of A. For any binary relation TZ C A X A we write xTZX to denote the 
fact that [x,x') G TZ holds for all x' <E X . For the set Nji of role names let Nji 
be the union of Nji and \ R € N/j}. 

A configuration captures the state of a game in progress. R is of the form 
G'5^(X, X, y), where n £ N is a limit on the size of set tha,t may be chosen 
during the game, rn denotes the number of moves which still have to be played, 
and, X and, y are the elements of A^ resp. A-^ on which the pebbles are placed. 
For the configuration x, y) the rules are as follows: 

1. Ifl,x^i J ,y, then Player II loses; if m = 0 and X, x =; J7,y, then Player 
II wins. 

2. If m > 0, then Player I selects one of the interpretations; assume this is X 
(the case J is handled dually). He then picks a role S G Nr and a number 
I < n. He picks a, set X C A^ such that xS'^X and, ])X = 1. The duplicator 
has to answer with a, set Y C A'^ with yS^Y and, fY = 1. If there is no such 
set, then she loses. 

3. If Player II was able to pick such a set Y , then Player I picks an element 
y' G Y . Player II has to answer with an element x' G X. 

f. The game continues with , x' , J ,y') . 

We say tha,t Player II has a winning strategy for x, y) iff she can 

always reach a winning position no matter which moves Player I plays. We write 
I, X =5^ J ,y to denote this fact. 

Theorem 3. For two structures X , J and, two elements x G A^,y G A'^ it holds 
that X, X J, y iff X,x J, y. 

We omit the proof of this and the next theorem. These employ the same 
techniques that are used to show the appropriateness of the known Ehrenfeucht- 
Fraisse games for (7^ and for modal logics, please refer to [Tob99] for details. 

The game as it has been presented so far is suitable only if we have already 
placed pebbles on the interpretations. To obtain a game that characterises 
as a relation between interpretations, we have to introduce an additional rule 
that governs the placement of the first pebbles. Since a TBox consists of cardi- 
nality restrictions which solely talk about concept membership, we introduce an 
unconstrained set move as the first move of the game Gf^(X,J). 

Definition 6. For two interpretations X , ff , J7) is played as follows: 
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1 . Player I picks one of the structures; assume he picks I ( the case J is handled 
dually). He then picks a set X C with fjX = I where I < n. Player II 
must pick a set Y C of equal size. If this is impossible then she loses. 

2. Player 1 picks an element y ^ Y , Player 11 must answer with an x € X . 

3. The game continues with x,I, y). 

Again we say tha,t Player II has a winning strategy for fl) iff she can 

always reach a winning positions no matter which moves Player I chooses. We 
write X J do denote this fact. 

Theorem 4. For two structures X,J it holds that I J iff I J . 

Similarly, it would be possible to define a game that captures the expressivity 
of ACCQX with TBoxes consisting of terminological axioms by replacing the 
unconstrained set move from Def. 6 by a move where Player I picks a structure 
and one element from that structure; Player II then has to answer accordingly 
and the game continues as described in Def. 5. 

4.3 The Expressivity Result 

We will now use this characterisation of the expressivity of ACCQX to prove 
that ACCQX is less expressive than (7^. Even though we have introduced the 
powerful tool of Ehrenfeucht-Frai'sse games, the proof is still rather complicated. 
This is mainly due to the fact that we use a general definition of expressiveness 
that allows for the introduction of arbitrary additional role- and concept-names 
into the signature. 

Theorem 5. ACCQX is not as expressive as (7^ . 

Proof. To prove this theorem we have to show that there is a class C that is 
characterisable in (7^ but that cannot be projectively characterised in ACCQX'. 
Claim 1; For an arbitrary R € Nr the class Cr := {X \ is reflexive} is not 
projectively characterisable in ACCQX. Obviously, Cr is characterisable in (7^. 
Proof of Claim 1; Assume Claim 1 does not hold and that Cr is projectively 
characterised by the TBox Xr € over an arbitrary (but finite) signature 
r = {Nc: Nr) with R € Nr. We will have derived a contradiction once we have 
shown that there are two r-interpretations A,B such that A G Cr, B ^ Cr, but 
A =X B. In fact, A =X B implies B \= Xr and hence B £ Cr, a contradiction. 

In particular, Cr contains all interpretations A with R~^ = {fx, x) | x G 
i.e. interpretations in which R is interpreted as equality. Since C)f contains only 
finitely many pairwise inequivalent concepts and Cr contains interpretations of 
arbitrary size, there is also such an A such that there are two elements xi,X 2 G 
A-^ with Xi A ^2 and A,Xi =X A, X 2 - We define B from A as follows: 

:= 

A® := for each A G Nc, 

S'® := for each S e Nr\ [R], 

i?® := (i?*^\{(xi,Xi),(x2,X2)})U{(xi,X2),(x2,Xi)}. 
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Since is no longer reflexive, as desired B Cr holds. It remains to be shown 
that A =5^ B holds. We prove this by showing that A B holds, which is 

equivalent to A =„ ^ by Theorem 4. 

Any opening move of Player I can be answered by Player II in a way that 
leads to the configuration G'^^[A,x,B,x), where x depends on the choices of 
Player I. We have to show that, for any configuration of this type. Player II has 
a winning strategy. Since certainly A,x A,x this follows from Claim 2: 
Claim 2: For all k <m: If x A, y then A, x B, y. 

Proof of Claim 2: We prove Claim 2 by induction over k. Denote Player IPs 
strategy for the configuration G'^^^[A,x,A,y) by S. 

For k = 0, Claim 2 follows immediately from the construction of B: A, x =”+^ 
A, y implies A, x =i A^y and A, y =; B, y since B agrees with A on the inter- 
pretation of all atomic concepts. It follows that A^x =i B,y, which means that 
Player II wins the game GQ^^[A,x,B,y). For 0 < k < m, assume that Player I 
selects an arbitrary structure and a legal subset of the respective domain. Player 
II tries to answer that move according to S which provides her with a move for 
the game G'^'^^[A,x,A,y). There are two possibilities: 



— The move provided by S is a valid move also for the game x, B,y): 

Player II can answer the choice of Player I according to S without violating 
the rules, which yields a configuration G'^^^[A,x/ ,B,y') such that for x' ,y' 
it holds that A,x' — A,y' (because Player II moved according to S). 
From the induction hypothesis it follows that A, x' S, y' . 

— The move provided by S is not a valid move for the game x, B,y) 

This requires a more detailed analysis: Assume Player I has chosen to move 
in A and has chosen an S' € Nr and a set X of size / < n + 1 such that 
xS^X. Let Y be the set that Player 11 would choose according S. This 
implies that Y has also I elements and that yS^Y . That this choice is not 
valid in the game x, y) implies that there is an element z <E Y 

such that {y,z) ^ S®. This implies y G {xi,X 2 } and S G {i?, because 

these are the only elements and relations that are different in A and B. 
W.l.o.g. assume y = x\ and S = R. Then also z = x\ must hold, because 
this is the only element such that [xi,z) G and {x\,z) ^ R^ . Thus, 
the choice Y' := [Y \ {xi}) U {X 2 } is a valid one for Player II in the game 
G'^^[A,x,B,y): xiR^Y' and \Y'\ = I because (xi,X 2 ) ^ 

There are two possibilities for Player I to choose an element y' G Y': 

1. y' ^ X2'- Player II chooses x' £ X according to S. This yields a configu- 
ration G^^l[A,x' ,B,y') such that A,x' dl, yb 

2. y' = X 2 : Player II answers with the x' £ X that is the answer to 

the move Xi of Player I according to S. For the obtained configura- 
tion G^^^[A,x' ,B,y') also A^x' A^y' holds: By the choice of 

xi,X 2 , ,4., xi A, X 2 is satisfied and since A; — 1 < m also A^xi 

A^ X 2 holds which implies A^ xi A^ X 2 by Theorem 4. Since Player 
II chose x' according to S it holds that A,x' A,x\ and hence 

A, x' A, X 2 since is transitive. 
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In both cases we can apply the induction hypothesis which yields A, x' 

B,y' and hence Player II has a winning strategy for G^^"^[A,x, B,y). The 
case that Player I chooses from B instead of A can be handled dually. □ 

By adding constructs to ACCQX that allow to form more complex role ex- 
pressions one can obtain a DL that has the same expressive power as (7^, such 
a DL is presented in [Bor96], The logic presented there has the ability to ex- 
press a universal role that makes it possible to internalise both TBoxes based 
on terminological axioms and cardinality restrictions on concepts. 

5 Conclusion 

We have shown that, with a rather limited set of constructors, one can define a 
DL whose reasoning problems are as hard as those of (7^ without reaching the 
expressive power of the latter. This shows that cardinality restrictions, although 
interesting for knowledge representation, are inherently hard to handle algorith- 
mically. At a first glance, this makes ALCQX with cardinality restrictions on 
concepts obsolete for knowledge representation, because (7^ delivers more ex- 
pressive power at the same computational price. Yet, is is likely that a dedicated 
algorithm for ACCQX may have better average complexity than the (7^ algo- 
rithm; such an algorithm has yet to be developed. An interesting question lies 
in the coding of numbers: If we allow binary coding of numbers, the transla- 
tion approach together with the result from [PST97] leads to a 2-NExpTime 
algorithm. As for (7^, it is an open question whether this additional exponential 
blow-up is necessary. A positive answer would settle the same question for (7^ 
while a proof of the negative answer might give hints how the result for (7^ might 
be improved. 
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Abstract. Hybrid languages are extended modal languages which can 
refer to (or even quantify over) states. Such languages are better behaved 
proof theoretically than ordinary modal languages for they internalize 
the apparatus of labeled deduction. Moreover, they arise naturally in a 
variety of applications, including description logic and temporal reason- 
ing. Thus it would be useful to have a map of their complexity-theoretic 
properties, and this paper provides one. 

Our work falls into two parts. We first examine the basic hybrid lan- 
guage and its multi-modal and tense logical cousins. We show that the 
basic hybrid language (and indeed, multi-modal hybrid languages) are no 
more complex than ordinary uni-modal logic: all have PSPACE-complete 
K-satisfiability problems. We then show that adding even one nominal to 
tense logic raises complexity from PSPACE to EXPTIME. In the second part 
we turn to stronger hybrid languages in which it is possible to bind nom- 
inals. We prove a general expressivity result showing that even the weak 
form of binding offered by the .[ operator easily leads to undecidability. 



Keywords. Computational Complexity, Modal and Temporal Logic, Description 
Logic, Labeled Deduction. 

1 Introduction 

Hybrid languages are modal languages which use atomic formulas called nomi- 
nals to name states. Nominals are true at exactly one state in any model; they 
“name” this state by being true there and nowhere else. Although a wide range 
of hybrid languages have been studied, including hybrid languages in which it is 
possible to bind nominals in various ways, little is known about their computa- 
tional complexity. This paper is an attempt to fill the gap. 

Before going further, let’s be precise about the syntax and semantics of the 
basic hybrid language H{@), the weakest language we shall consider in the paper. 

Definition 1 (Syntax). Let PROP = {p, q,r, . . .} be a countable set of propo- 
sitional variables and NOM = {i,j,k, . . .} a countable set of nominals, disjoint 
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from PROP. We call ATOM = PROP U NOM the set of atoms. The well-formed 
formulas of the hybrid language (over ATOM) are 

ip := a \ -i(/3 I Lp t\Lp' I Up I @ip 

where a € ATOM, and i € NOM. As usual, <>p is defined to be -iD-k/j. A formula 
which contains no symbols from PROP is called pure. 

Thus, syntactically speaking, the basic hybrid language is a two-sorted uni-modal 
language which contains a NOM indexed collection of operators Now for the 
semantics. 

Definition 2 (Semantics). A (hybrid) model SDt is a triple SDt = {M,R, V) 
such that M is a non-empty set, i? is a binary relation on M , and V : ATOM 
^ Pow(M) is such that for all i e NOM, V{i) is a singleton subset of M. We 
usually call the elements of M states, R is the transition relation, and V is the 
valuation. A frame is a pair = {M, R), that is, a model without a valuation. 

Let SDt = (M, R, V) be a model and rn e M. Then the satisfaction relation 
is defined by: 

SDt, m Ih a iS m <E V{a), a <E ATOM 
SDt, mil — <p \StM,rn\'f p 

SDt, m Ih (/3 A V' iff SDt, mW p and SDt, m Ih ih 
SDt,mlhD(/3 iff Vm'(i?mm' ^ SDt, m' Ih (/?) 

SDt, m Ih @ip iff SDt, m! Ih p, where V {i) = {m'|, i € NOM. 

A formula p is satisfiable if there is a model SDt, and a state rn £ M such that 
SDt, rn Ih p. We write SDt |= (/? iff for all m G M , SDt, rn Ih p. If 5 is a frame, and 
for all valuations V on we have {"S, V) |= p, we say p is valid on and write 

S' 1= A- 

Because valuations assign singletons to nominals, it is clear that each nominal 
is satisfied at exactly one state in any model. And the clause for formulas of the 
form @ip simply says: to evaluate @iP, jump to the unique state named by i 
and evaluate p there. 

There are at least two reasons for being interested in hybrid languages. First, 
they can be seen as modal languages which internalize the ideas underlying 
labeled deduction systems. Second, hybrid languages arise naturally in many 
applications. 

Hybrid languages and labeled deduction Labeled deduction (see [Gab96]) is built 
around the notation l\p. Here the meta linguistic symbol : associates the meta 
linguistic label I with the formula p. This has a natural modal interpretation: 
regard labels as names for states and read l:p as asserting that p is satisfied at 
1. Labeled deduction proceeds by manipulating such labels to guide proof search; 
the approach has become an important way of handling modal proof theory. 

The basic hybrid language places the apparatus of labeled deduction in the 
object language: nominals are essentially object-level labels, and the formula @ip 
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asserts in the object language what i : cp asserts in the metalanguage. And indeed, 
hybrid languages turn out to be proof-theoretically well behaved. For a start, 
the basic hybrid language enables us to directly “internalize” labeled deduction 
(see [Bla98]), and to define sequent calculi and natural deduction systems (see 
[Sel97]). In fact, even if @ is dropped from the language, elegant Fitting-style 
systems which exploit the presence of nominals can be defined (see [Tza98]). 

Furthermore, such calculi automatically handle the logics of a wide range of 
frame classes, including many that are awkward for ordinary modal logic. To 
give a simple example, no ordinary modal formula defines irreflexivity (that is, 
no ordinary modal formula is valid on precisely the irreflexive frames). But the 
(pure) formula does so, as the reader can easily check. Moreover, when 

used as an additional axiom, this formula (and indeed, any pure formula) is 
complete with respect to the class of frames it defines. For a full discussion of 
these issues, see [Bla98,BT99]. 

Hybrid languages and applied logic Modal logicians like to claim that notational 
variants of modal logics are often reinvented by workers in artificial intelligence, 
computational linguistics, and other fields — in this case, it would be more 
accurate to say that it is hybrid languages which are reinvented in this way. 
For example, it is well known that the description language ACC (see [SSS91]) 
is a notational variant of multi-modal logic (see [Sch9f]). But this relation is 
established at the level of what is called the TBox reasoning. TBox reasoning 
is complemented with ABox assertions, which corresponds to the addition of 
nominals (see [AdR99,BS98]). Moreover, many authors have pointed out how 
natural hybrid languages are for temporal reasoning (see [Bul70,Gor96,BT99]). 
Among other things, hybrid languages make it possible to introduce specific 
times (days, dates, etc.), and to define many temporally relevant frame properties 
(such as irreflexivity, asymmetry, trichotomy, and directedness) that ordinary 
modal languages cannot handle. Furthermore, if one starts with a modal interval 
language and adds nominals and @, one obtains variants of the Holds(t, (/^(-driven 
interval logics discussed in [A1184] (with @ playing the role of Holds). 

The emergence of hybrid languages in applied logic is not particularly sur- 
prising. Modal languages offer a simple notation for modeling many problems 
— but the ability to reason about what happens at a particular state is often 
important and this is precisely what orthodox modal languages lack. This seems 
to have encouraged a drift (often implicit) towards hybrid languages. 

Our work falls into two parts. We first examine the basic hybrid language and 
its multi-modal and tense logical variants. We show that the basic and even the 
multi-modal hybrid languages are no more complex than ordinary uni-modal 
logic: all have PSPACE-complete K-satisfiability problems. We also show that 
adding even one nominal to tense logic raises complexity from PSPACE to EXP- 
TIME. In the second part of the paper we turn to stronger hybrid languages in 
which it is possible to bind nominals. We shall show, via a general expressiv- 
ity result called the Spypoint Theorem, that even the restricted form of binding 
offered by the J, operator easily leads to undecidability. 
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2 Complexity of the basic hybrid language 

We begin with a positive result. We know from [Lad77] that ordinary propo- 
sitional uni-modal logic has a PSPACE-complete K-satisfaction problem (the K 
meaning that no restrictions are placed on the transition relation R). What 
happens when we add nominals and @ to form the basic hybrid language? The 
answer (up to a polynomial) is: nothing. 

Theorem 1. The K-satisfaction problem for the basic hybrid language is 
PSPACE-complete. 

Proof. The lower bound follows from [Lad77]. We show the upper bound by 
defining the notion of a .f-game between two players. We will show that the exis- 
tential player has a winning strategy for the .f-game if and only if ^ is satisfiable. 
Moreover every Cgame stops after at most as many rounds as the modal depth 
of f and the information on the playing board is polynomial in the length of 
Using the close correspondence between Alternating Turing Machines (ATM’s) 
and two player games [Chl86] , it is straightforward to implement the problem of 
whether the existential player has a winning strategy in the Cgame on a PTIME 
ATM. Because any ptime ATM algorithm can be turned into a pspace Turing 
Machine program, we obtain our desired result. We present the proof only for 
uni-modal 7i{@); it can be straightforwardly extended to the multi-modal case. 

Fix a formula A .f-Hintikka set is a maximal consistent set of subformulas 
of We denote the set of subformulas of ^ by SF{^). The .f-game is played as 
follows. There are two players, Vbelard (male) and dloise (female). She starts 
the game by playing a collection {Aq, . . . ,Xk} of Hintikka sets and specifying a 
relation R on them. 

Bloise loses immediately if one of the following conditions is false: 

1. Aq contains and all others A; contain at least one nominal occurring in 

2. no nominal occurs in two different Hintikka sets. 

3. for all A;, for all @icp e SF{f), @icp e A; iff {i, p} C Xk, for some k. 

4. for all <>p> e SF{^), if RXiXk and <>p ^ Aj, then ^ Xk- 

Now Vbelard may choose an A; and a “defect-formula” <>cp € A;. Bloise must 
respond with a Hintikka set Y such that 

1. 'P <E Y and for all <>if G SF{f), <>if ^ A; implies that if ^ Y . 

2. for all @ip G SF{f), G T iff {i, p] C Xk, for some k. 

3. if i £ Y for some nominal i, then Y is one of the Hintikka sets she played at 
the start. In this case the game stops and Bloise wins. 

If Bloise cannot find a suitable Y , the game stops and Vbelard wins. If Bloise 
does find a suitable Y (one that is not covered by the halting clause in item 3 
above) then Y is added to the list of played sets, and play continues. 

Vbelard must now choose a defect <>p from the last played Hintikka set with 
the following restriction: in round k he can only choose defects <>p such that 
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the modal depth of <>Lp is less than or equal to the modal depth of ^ minus k. 
Bloise must respond as before. She wins if she can survive all his challenges (in 
other words, he loses if he reaches a situation where he can’t choose any more 
defects). 

It is clear that the .f-game stops after at most modal depth of ^ many rounds. 
The size of the information on the board is at any stage of the game polynomial 
in the length of as Hintikka sets are polynomial in the length of ^ and ^ can 
only contain polynomially many nominals. We claim that Bloise has a winning 
strategy iff ^ is satisfiable. 

Now the right-to-left direction is clear: Bloise has a winning strategy if ^ 
is satisfiable, for she need simply play by reading the required Hintikka sets 
off the model. The other direction requires more work. Suppose Bloise has a 
winning strategy for the .f-game. We shall create a model SOI for ^ as follows. 
The domain M is build in steps by following her winning strategy. Mq consists 
of her initial move {Aq, . . . , A„}. Suppose Mj is defined. Then Mj+i consists of 
a copy of those Hintikka sets she plays when using her winning strategy for each 
of Vbelard’s possible moves played in the Hintikka sets from Mj (except when 
she plays a Hintikka set from her initial move, then of course we do not make 
a copy). Let M be the disjoint union of all Mj for j smaller than the modal 
depth of Set Rmm' iff for all <>Lp € SF{^), <>cp ^ rn ^ cp ^ rn^ holds, and 
set V {p) = {m £ M \ p £ ra}. Note that the rules of the game guarantee that 
nominals are interpreted as singletons. 

We claim that the following truth-lemma holds. For all m € M which she 
plays in round j (i.e., m € Mj), for all cp of modal depth less than or equal to 
the modal depth of ^ minus j, SOI, m Ih p if and only if p (E m. 

Proof of Claim. By induction on the structure of formulas. For atoms, the 
booleans and @ the proof is easy. For O, if Op € m, then Vbelard challenged 
this defect, so Bloise could respond with an m' containing p. Since for all Op (E 
SF{^), Op^m^p^ml holds, we have Rmm' and by induction hypothesis 
SDt, rn Ih Op. If Op ^ rn but Rmm! holds, then by our definition of R, p ^ m' , 
so again SOI, m \f Op. 

Since she plays a Hintikka set containing ^ in the first round, SOI satisfies 

This result generalizes to the multi-modal case. Recall that in a multi-modal 
language we have an indexed collection of modalities [a], each interpreted by 
some relation R^. From [HM92] we know that the K-satisfaction problem for 
multi-modal languages is PSPACE-complete (here the K means that no restrictions 
are placed on the individual Ra, or on the way they are inter- related). If we add 
nominals and @ to such a language, the previous proof straightforwardly extends 
to show that we are still PSPACE-complete. 

We have already mentioned that the description language ACC with asser- 
tional axioms is a restriction of multi-modal logic enriched with nominals an 
nominals cannot be freely used in formulas and can only act as subindices of 
the @ operator. The logic ACCO [Sch94] moves closer to H{@) by allowing the 
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formation of concepts by means of sets of nominals. Eliminating the restrictions 
on @ from such a language in effect would give us an equational calculus for 
reasoning about individuals, and make it possible to speeify additional frame 
properties. 



3 Hybrid Tense Logic 



The language of tense logic is a bimodal language; its D-modalities are written G 
and H and the respective O-modalities F and P. But these modalities are inter- 
related: while G and F look forward along the transition relation R, the FI and P 
modalities look backwards along this relation (that is, H and P are interpreted 
using the converse of R). Now, we know from [Spa93b] that the K-satisfaction 
problem for tense logie is PSPACE-eomplete. However beeause G and H are inter- 
related the results of the previous seetion are not applieable. And in fact, adding 
even one nominal to tense logic causes a jump in complexity from PSPACE to 
EXPTIME, and we don’t need to add @ to obtain this result. Our proof uses the 
spy-point teehnique from [BS95]; we will be exploring this technique in great 
detail in the following section when we discuss undecidable systems. 

Theorem 2. The K-satisfaction problem for a language of tense logic containing 
at least one nominal is exptime -/ lard. 



Proof. We shall reduce the EXPTiME-eomplete global K-satisfaction problem for 
uni-modal languages to the (local) K-satisfaction problem for a basic tense lan- 
guage that contains at least one nominal. The global K-satisfaction problem for 
uni-modal languages is this: given a formula in the uni-modal language, does 
there exist a Kripke model SDt sueh that SDt [= (/? (in other words, where is true 
in all states)? The EXPTiME-eompleteness of this problem is an easy consequence 
of (the proof of) the EXPTiME-eompleteness of modal logic K expanded with the 
universal modality in [Spa93a]. 

Define the following translation function (•)* from ordinary uni- modal for- 
mulas to formulas in a tense language that contains at least one nominal i: p^ 
= p, (-'(/?)* = (p A tpY = p* A V'S = F(Pi A (/?*). Note that i is a 

fixed nominal in this translation. Clearly (•)* is a linear reduction. We claim 
that for any formula cp, p is globally K-satisfiable if and only if i A G(Pi ^ (/?*) 
is K-satisfiable. 

For the left to right direction, let SDt |= (/?, where SDt = (Af, i?, k) is a ordinary 
Kripke model. Define SDt* as follows: M* = M U {i}, R* = RU {(i,m) | m <E 
M}, V* = V U {(«,{*}) I for all nominals n}. SDt* is a hybrid model where all 
nominals (including i) are interpreted by the singleton set {*}, our spy-point. We 
claim that for all m € M, for all if, we have SDt, rnlh ifii and only if SDt* , m IF i/t*- 
This follows by a simple induction. The only interesting step is for O: 



sot, m IF <>%l) 

(3m' e M) : Rmm' & SDt, rtf IF f 

(3m' e M*) : R*mm! & SDt*, m' IF f*' & R*im! (by IH and def. of R*) 
Wl* ^rn IF F(Pi A V'*) 

SW*,mlF {Off. 
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It follows that Ih i A G(Pi ^ (/?*), as desired. 

For the other direction, let SDt, w Ih i A G(Pi ^ Lp^), where SDl = {M,R, V) 
is a hybrid model. Define SDt* as follows: M* = {m e M \ Rwm}, R* = R\m* , 
V* = ViM*- We claim that for all rn G M* , for all lA) SDI, m IP ip* if and only if 
SDt*, m IP -(/'• Again we only present the inductive step for O: 

SDt, m IP F(Pi A V'*) 

(3m' G M) : Rrnm' & Rwm' & SOI, m' IP V'* 

(3m' G M*) : Rrnm' & Rvjrn' & SDt, rn' IP ip* 

(3m' G M*) : R*rnrn' & SDt*,m' IP ip (by IH and definition of M*) 

SOI*, m IP OV>. 



For all rn G M* , Rwrn holds, whence for all rn G M*, ^,rn IP Pi. So, since 
SDt, w IP G(Pi ^ 'p'), for all rn G M*, SDt,m IP Hence by our last claim 
sot* 1= p, which is what we needed to show. 

A matching upper bound can be obtained by interpreting the fragment in 
the guarded fragment with two variables [Gra97]. 



4 Binding nominals 

Once we are used to treating labels as formulas, it is easy to obtain further 
expressivity. For example, instead of viewing nominals as names, we could think 
of them as variables over states and bind them with quantifiers. That is, we 
could form expressions like 

3x.O(x A\/y.O{y A Oy Ap)). 

This sentence is satisfied at a state w if and only if there is some state x ac- 
cessible from w such that all states y accessible from x are reflexive and satisfy 
p. Historically, hybrid languages offering quantification over states were the first 
to be explored ([Bul70,PT85]). In their multi-modal version, they are essentially 
description languages which offer full first-order expressivity (see [BS98]). If the 
underlying modal language is taken to be the modal interval logic described in 
[Ben83a], the resulting system is essentially the full version of Allen’s Plolds(t, p)- 
based interval logic in which quantification over t is permitted (see [A1184]). But 
because they offer full first-order expressivity over states, such hybrid languages 
are obviously undecidable. 

More recently, there has been interest in hybrid languages which use a weaker 
binder called J, (see [Gor96,BS95]). Unlike 3 and V, this is not a quantifier: it 
is simply a device which binds a nominal to the state where evaluation is being 
performed (that is, the current state). For example, the interplay between | and 
@ allows us to define the Until operator: 

Until{p, V') := ly.@x{0{y Ap) A a{Oy tp)). 

This works as follows: we name the current state x, use O to move to an accessible 
state, which we name y, and then use @ to jump us back to x. We then use O 




314 



C. Areces, P. Blackburn, and M. Marx 



to insist that Lp holds at the state named y, while V' holds at all successors of 
the current state that precede this y-labeled state. 

the extension of 7i{@) with the | binder, is proof theoretically well 
behaved, and completeness results for a wide class of frames can be obtained 
automatically (see [BT99,Bla98,Tza98]). But J, turns out to be extremely pow- 
erful: not only is undecidable, the sublanguage 'H{[) containing only 

the I binder is too. However the only published undecidability result for 7i{l) 
is the one in [BS95], and this makes use of i over a modal language with four 
modalities. In unpublished work, Valentin Goranko, and Blackburn and Selig- 
man have proved undecidability in the uni-modal case, but these proofs make use 
of propositional variables to carry out the encoding. We are now going to prove 
the sharpest undecidability result yet for H{1) through a general expressivity 
result called the Spypoint Theorem. Roughly speaking, the Spypoint Theorem 
shows that J, is powerful enough to encode modal satisfaction over a wide range 
of Kripke models, and that it doesn’t need the help of propositional variables or 
multiple modalities to do this. 



4.1 The language @) 

Let’s first make the syntax and semantics of precise. 

Definition 3 (Syntax). As in Definition 1, PROP = {p, q,r, . . .} is a countable 
set of propositional variables, and NOM = is a countable set of 

nominals. To this we add SVAR = {xi, X 2 , . . .} a countable set of state variables. 
We assume that PROP, NOM and SVAR are pairwise disjoint. We call SSYM = 
NOM U SVAR the set of state symbols, and ATOM = PROP U NOM U SVAR 
the set of atoms. The well-formed formulas of 'R(i,@) (over ATOM) are 

:= a \ \ Ap>' \ Dip \ @sT \ 

where a € ATOM, v e SVAR and s e SSYM. 

The difference between nominals and state variables is simply this: nominals 
cannot be bound by J, whereas state variables can. The notions of free and 
bound state variable are defined as in first-order logic, with J, the only binding 
operator. A sentenee is a formula containing no free state variables. A formula 
is pure if it contains no propositional variables, and nominal-free if it contains 
no nominals. In what follows we assume that some choice of PROP, NOM, and 
SVAR has been fixed. 

Definition 4 (Semantics). Hybrid models SOI are defined as in Definition 2. 
An assignment g for SOI is a mapping g : SVAR ^ M . Given an assignment g, 
we define the assignment gif by glf{v') = g{v') for v' ^ v and gf-fv) = rn. We 
say that gf^ is a v -variant of g. 

Let SOI = {M, R,V) he a, model, rn e M , and g an assignment. For any atom 
a, let \y,g]{a) = {(/(a)} if a is a state variable, and V{a) otherwise. Then: 
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a iff m e < 7 ](a), a € ATOM 
SDt, gr,mll — iffSDt, gr, m 1/ (/3 
sot, gr, m Ih A V' iff sot, g,m\'r If and SDt, g,m\\- ifj 
dJl,g,m\hDf iff Vm'(i?mm' ^ sot, <7, m' Ih (/?) 

M,g,m\hlv.f iSM,gl^,rn\h f 

SDt, g, m Ih @sf iff SDt, g, m! Ih f, where [V, (;](s) = {m'}, s e SSYM. 

We write Wl,g Ih f iff for all m € M, Wl,g,m Ih f, and Wl \= f iS for all g, 
Wt,g\h f. 

Thus, as promised, J, enables us to bind a state variables to the current state. 
Note that, just as in first-order logic, if (/? is a sentence it is irrelevant which 
assignment g is used to perform evaluation. Hence for sentences the relativiza- 
tion to assignments of the satisfaction relation can be dropped. A formula f is 
satisfiable if there is a model SDt, an assignment g on SDt, and a state m e M 
such that sot, g, m Ih f. 

We can now get down to business. First, we shall present a fragment of first- 
order logic (the bounded fragment) which is precisely as expressive as 
and provide explicit translations between these two languages. Secondly, we shall 
give an easy proof that (uni-modal) H(J,,@) is undecidable. Third, we shall 
show how the dependency in this proof on @ and propositional variables can 
be systematically eliminated (in particular, we will show how to encode the 
valuation V so that the use of propositional variables can be simulated) and 
how we can encode any frame-condition expressible inside the pure fragment of 
'H{1). This leads directly to the Spypoint Theorem and our undecidability result. 



4.2 'W(i, @) and the bounded fragment 



We first relate H(|,@) to a certain bounded fragment of first-order logic. We 
shall work with a first-order language which contains a binary relation symbol 
R, a unary relation symbol Fj for each pj € PROP, and whose constants are the 
elements of NOM. Obviously any hybrid model SDt = (M, R, V) can be regarded 
as a first-order model for this language: the domain of the model is M, the acces- 
sibility relation R is used to interpret the binary predicate R, unary predicates 
are interpreted by the subsets that V assigns to propositional variables, and con- 
stants are interpreted by the states that nominals name. Conversely, any model 
for our first-order language can be regarded as a hybrid model. So we shall let 
context determine whether we are referring to first-order or hybrid models, and 
continue to use the notation SDt = (M, R, V) for models. 

First the easy part: we extend the well-known standard translation ST of 
modal correspondence theory (see [Ben83b]) to H(J,,@). We assume that the 
first-order variables are SVARujx, y} (where x and y are distinct new variables) 
and define the required translation by mutual recursion between two functions 
STx and STy. Here f[x!y] means “replace all free instances of x by y in f.” 
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ST^{pj) = Pj{x), Pj e PROP. 
ST^{ij) = X = ij, ij G NOM. 
STx[xj) = X = Xj, Xj G SVAR. 
ST^i^p) =^ST^{p). 

5T,(v?AV') =5T4v^) A^T^V-)- 

ST^XOp) =3y.{Rxy PSTy{p)). 
ST^^iixpp) = {ST^,{p))[xylx\. 
ST,X@sP) = {ST,X^))[x/s]. 



STyiPy) = Py{y), py e PROP. 
STyXj) = y = i- G NOM. 
STyixj) = y = Xj, Xj G SVAR. 
STyi^p) =^STy{p). 

STyipPX) = STy{p)hSTy{X). 
STy{Op) = Bx.lRyx A STa,{p)). 
STyiixpp) = [STy{p))[xy/y]. 
STy(@sp) = {STy{p))[y/s]. 



Proposition 1. Let p be a hybrid formula, then for all hybrid models SDt, rn G 
M and assignments g, Wl,g,rn\V p iffWlW STx{p)[gfX\- 

Proof. Induction on the structure of p. 



Now for the interesting question: what is the range of ST? In fact it belongs 
to a bounded fragment of our first-order language. This fragment consists of the 
formulas generated as follows: 



p := RtX I Pjt \ t = X I -i(/3 \ p /\p' I 3xi.{RtXj A p) (for Xj X X)- 



where Xj is a variable and t, X are either variables or constants. 

Clearly ST generates formulas in the bounded fragment. Crucially, however, we 
can also translate any formula in the bounded fragment into as follows: 



HT{RtX) = @tOX. 

HT{Pyt) = @tpy. 

HT{t = X) =@tX- 

HT{^p) = ^HT{p). 

HT{pA'X) =HT{p)AHT{X)- 

HT{3v.{Rtv A p)) = @tX> iv.HT{p). 



By construction, HT{p) is a hybrid formula, but furthermore it is a boolean 
combination of @-formulas (formulas whose main operator is @). We can now 
prove the following strong truth preservation result. 



Proposition 2. Let p be a bounded formula. Then for every first-order model 
sot and for every assignment g, SOI Ih p[g] iffSM,g Ih HT{p). 

Proof. Induction on the structure of p. 

To summarize, there are effective translations between 7i{l, @) and the bounded 
fragment. 



4.3 Undecidability of I, @) 

We are now ready to discuss undecidability. The result we want to prove is this: 

The fragment of H{i) consisting of pure nominal-free sentences has an 
undeeidable satisfaction problem. 
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However we begin by quickly sketching an easy undecidability proof for the 
full language 7 f(|, @). The proof uses the spypoint technique from the previous 
section together with results from [Spa 93 a] . By generalizing the methods used in 
this simple proof, we will be lead to the Spypoint Theorem and the undecidability 
result just stated. 

Hemaspaandra shows in [Spa 93 a] that the global satisfaction problem of the 
uni-modal logic of the class K23 of frames is undecidable. K23 consists of all 
modal frames (IT, i^) in which every state has at most 2 /^-successors and at 
most 3 two-step //-successors. We will show that we can reduce the satisfiability 
problem of this logic to 

Let Grid be the conjunction of the following formulas: 

G*i @5— 'Os 

G2 @sOT 

G3 @s(DD |x.@gOx) 

G4 @g(D ly.O J,X2.@j,D V @,jjX3 V @1,2X3)) 

G*5 @s(D (,?/.□□ J,xi.@yDD J,X2.@yDD J,X3.@yDD @j,.Xj)). 

What does Grid express? Suppose it is satisfied in a model SDt on a frame (IT, /?). 
Then there exists a state which is named by s (the spypoint). By G\, s is not 
related to itself. By G2, s is related to some state, and by G^, every state which 
can be reached from s in two steps can also be reached from s in one step. 
This means that in SDts — the submodel of SDt generated by s — every state is 
reachable from s in one step. Now G4 and G5 express precisely the two conditions 
characterizing the class K23 on successors of s. Instead of spelling out this proof 
we show that the similar formula @sD |j/.D |xi.@j,D |x2. @2,1X2 expresses that 
every successor of s in SDtg has at most one //-successor. As G4 and G^ follow the 
same pattern, it is easy to extend the argument below to verify their meaning. 



sot, <7 ,slh □ J.J/.D J,xi.@j,D J.X2. @2,1X2 

(Vw : sRw) : Wl,g^,w Ih □ J,xi.@j,D ix2. @2,1X2 

(Vm : wRu) : Ih @yD |x2. @2,1X2 

9 ^; □ J.X 2 . @2,1X2 

(Vu : wRv) : 9K, ((gf^)®! )®T u Ih .@2,1X2 

(Vw : sRw){\/u : wRu){\/v : wRv) : u = v. 



Now we are ready to complete the proof. We claim that for every formula cp, 

p is globally satisfiable on a K23-frame iff Grid A @gD (/9 is satisfiable. 

The proof of the claim is a simple copy of the two constructions given in the 
proof of Theorem 2 . 



4.4 Undecidability of pure nominal- free sentences of 

We are ready to prove our main result. We do so by analysing the previous proofs 
and generalizing the underlying ideas. The models used in the proof of Theorem 2 
and the undecidability proof just given both had a certain characteristic form. 
Let’s pin this down: 
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Definition 5. A model Wl = {W,R,V) is called a spypoint model if there is an 
element s € VK (the spypoint) such that 

i. ^sRs; 

ii. For all w € IF, if w s, then sRw and wRs. 

Notice that by ii above, any spypoint model is generated by its spy point. We will 
now show that with J,we can easily create spypoint models. On these models we 
can create for every variable x introduced by J,x, a formula which has precisely 
the meaning of @j;. 

Proposition 3. Let SDt = {M,R, V) and s <E M be sueh that SDt, s lh|s.(-iOs A 
□ □ J,x.O(s A <>x) A DOs). Then, 

i. SDts, the submodel of SDt generated by s, is a spypoint model with s the 
spypoint. 

ii. @s<p is definable on SDtg by {s Ay?) V 0{s A cp). 

in. Let g be any assignment. Then for all u e M , Tts,g,u Ih *if 

Ms,g,u\h @s(p V 0(x A p)). 

Proof, i is immediate, ii and Hi follow from the properties of a spypoint model. 

Now, spypoint models are very powerful: we can encode lots of information 
about Kripke models (for finitely many propositional variables) inside a spypoint 
model. More precisely, for each Kripke model SDt, we define the notion of a 
spypoint model of SDt. 

Definition 6. Let SDt = {M,R, F) be a Kripke model in which the domain of 
F is a finite set {pi, . . . ,p„} of propositional variables. The spypoint model of 
SDt (notation Spy[SDt]) is the structure {M',R', V) in which 
\. M' = M yj {s} U {wpj , . . . , Wp^ }, for s, Wp.^ , . . . , Wp^ ^ M 
ii. R' = RU {{s,x),{x,s) I X € U {(x, Wp. ) \ x <E M and x € V (pi)} 

hi. F' = 0. 

Let {s,Xpj, . . . ,Xp^} be a set of state variables. A spypoint assignment for this 
set is an assignment g which sends s to the spypoint s and Xp. to Wp. . We use m 
as an abbreviation for -is A -■Xpj A ... A —^Xp^ . Note that when evaluated under 
the spypoint assignment, the denotation of m in Spy[SDt] is precisely M . 

Spy[SDt] encodes the valuation on SDt and we can take advantage of this fact. 
Define the following translation from uni-modal formulas to hybrid formulas: 

IT{pi) =0(xpfi 
LT(^p) = ^LT(p) 

IT(pAfi) = LT(p) ALT(fi) 

LT(Op) = 0(m A LT(p)). 

Proposition 4. Let S)t be a Kripke model and p a uni-modal formula. Then for 
any spypoint assignment g, 



dLl\= p if and only if Spy[SDt], g, s Ih □(m ^ LT{p)). 
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Proof. Immediate by the fact that the spypoint is if-related to all states in the 
domain of SOI, and the interpretation of m under any spypoint assignment g. 

We modify the hybrid translation HT to its relativized version hi™ which also 
defines away occurrences of Define HT'^{3v.{Rtv A (/?)) as J, u.(m A 
Hl™ip) and replace all @ symbols by their definition as indicated in Propos- 
tion 3. if and 3. Hi. 

The crucial step is now the fact that | is strong enough to encode many 
frame-conditions. 

Proposition 5. Let SOI = {M,R, V) be a Kripke model. Let C{y) be a formula 
in the bounded fragment in the signature {R,=}. Then for any assignment g, 

{M,R) \= \/y.C{y) if and only if Spy[SDt], g, s Ih □ ^ Hl™{C{y))). 

Proof. Immediate by the properties of HT, Proposition 3, and the fact that the 
spypoint is i?-related to all states in the domain of SOI. 

Theorem 3 (Spypoint theorem). Lef be a uni-modal formula in {pi, . . . ,p„} 
and \/y.C{y) a first-order frame condition in {i?, =} with C{y) in the bounded 
fragment. The following are equivalent. 

i. There exists a Kripke model SOI = {M,R,V) such that {M,R) |= \/y.C{y) 
and SOI 1= (/9. 

a. The pure hybrid sentence F in the language H{1) is satisfiable. F is 
ls.{SPY A O ixp^ .@,0 ixp^@, ...O Ixp^ .@,{DIS A VAL A FR)), 

where 

SPY = -lOs A □□ J,x.O(s A <>x) A DOs 

DIS = D(Ai<i<n(^Pi ^ I ^ Y j 7^ i Y "Ti})) 

VAL = □(m ^ LT('p)) 

FR =D ly.{in^ Hl™{C{y)). 

Proof. The way we have written it, F contains occurrences of but this does 
not matter, by Proposition 3 all these occurrences can be term-defined. So let’s 
check that F works as claimed. 

For the implication from i to ii, let SOI be a Kripke model as in i. We claim 
that Spy[SDI], s Ih F. The first conjunct of F is true in Spy[SDI] at s by Proposi- 
tion 3. The diamond part of the second disjunct can be satisfied using any spy- 
point assignment g. In the spypoint model all Wp. are pairwise disjoint, whence 
Spy[SDI], <7, s Ih DIS. By Propositions 4 and 5, also Spy[SDI], g, s Ih VALaFR. 

For the other direction, let SOI, s Ih F. By Proposition 3, the submodel SDIs = 
{Mg, Rs,Vg) generated by s is a spypoint model. Let g be the assignment such 
that dK,g,s Ih DIS A VAL A FR. By DIS, g{xpj ^ for all i A j, and 

(since ^sRs) also g{xp.) ^ s, for all i. Define the following Kripke model SOI' = 
where 

M' = M\{g{s),g{xp,^),. . . ,g{xpj) 

R' =R \m' 

V{pi) = {w I wRg{xp.)}. 
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Note that Spy[SDt'] is precisely SDtg, and is a spypoint assignment. But then by 
Propositions 4 and 5 and the fact that SOt®, < 7 , s Ih VAL A FR, we obtain SDt' |= cp 
and \=yy.C{y). 

The proof of the claimed undecidability result is now straightforward. 

Corollary 1. The fragment of H{i) consisting of all pure nominal-free sen- 
tences has an undecidable satisfaction problem. 

Proof. We will reduce the undecidable global satisfaction problem in the uni- 
modal language over the class K23, just as we did in our easy undecidability 
result for The first-order frame conditions defining K23 are of the form 

\fy.C{y) with C{y) in the bounded fragment. (This is easy to check. For instance, 
y has at most two successors can be written as 'ixi.fyRxi Vx2.(^ VX3. ^ 
(x\ = X2 Vxi = X3 Vx2 = X3))).) Now apply the Spypoint Theorem. The formula 
F (after all occurrences of have been term-defined) is a pure nominal-free 
sentence of H(J.), and the result follows. 

Because of the generality of the Spypoint Theorem, it seems unlikely that even 
restricted forms of label binding will lead to decidable systems. For this reason, 
much of our ongoing research is focusing on binder free systems, such as Un- 
tzFbased languages enriched with nominals and and modal languages with 
counting modalities (these are widely used in description logic) enriched in the 
same way. 

5 Concluding remarks 

In this paper we have examined the complexity of a number of hybrid languages. 
Our results have been both positive and negative and we sum them up here: 

1. Adding nominals and @ to the uni-modal language, or even the multi-modal 
language, does not lead to an increase in complexity: K-satisfiability remains 
PSPACE-complete. 

2 . On the other hand, adding even one nominal to the language of tense logic 
takes the complexity from PSPACE-complete to EXPTiME-complete. 

3 . We provide a simple proof of the known fact that H(J.,@) is undecidable. 
Furthermore, we prove that very restricted use of | leads already to unde- 
cidability. In fact, undecidability strikes even in the sentential fragment of 
the uni-modal language without @ or propositional variables. 

Furthermore, a simple extension of the undecidability proof provided in this 
paper shows that this last fragment is even a conservative reduction class in the 
sense of [BGG 97 ]. 

Needless to say, the results we presented conform just a preliminary sketch of 
the complexity-theoretic territory occupied by hybrid languages. The spectrum 
of plausible directions for further work is huge. As an example, we have only 
considered logics with full Boolean expressive power. In the description logic 
community fragments which restrict negation or dissallow disjuctions (aiming to 
obtain good computational behavior) are standard. Again, the generality of the 
Spypoint Theorem will be of much help in mapping this new variations. 
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Abstract. We define a monadic logic MonadicNLIN which is a frag- 
ment of Grandjean’s logic for the class NLIN of problems solvable in lin- 
ear time on nondeterministic random-access machines. This logic oper- 
ates on functional rather than the usual relational structures of hnite 
model theory, and we adapt the notions of quantiher-free interpretation 
and reduction to this functional setting. We also introduce the notion of 
compatible successor function, which, in our setting, replaces the built- 
in linear order relations used in logical characterisations of complex- 
ity classes. We show that MonadicNLIN is closed under quantiher-free 
functional reductions, that CNF-SAT is complete for MonadicNLIN 
under these reductions, and that MonadicNLIN contains a large num- 
ber of NP-complete problems, but not the set of connected graphs. 



Keywords: descriptional complexity, computational complexity, functional str- 
uctures, linear time 



1 Introduction 

Following Fagin’s seminal paper [Fag74], logical characterisations of complexity 
classes have become a very active research area, and today, for most major 
classes of computational complexity such characterisations have been found (cf. 
[Imm99]). Apart from providing a static, syntactic description of a dynamic, 
semantic notion, one main aspect of most of these characterisations is that they 
are in terms of relational structures, without any explicit reference to string 
encodings. For instance, by Fagin’s theorem, the class of graph problems in NP 
is the class of those sets of graphs that can be defined in existential second-order 
logic, on graphs, i.e., over a signature containing one single binary predicate 
symbol (for the edge relation). This is possible where complexity classes are 
insensitive to the precise nature of input encodings; for most classes, this can 
vary in length within a polynomial without affecting the class. The situation is 
quite different if we consider more fine-grained complexity classes, e.g., linear 
time. Although frequently used in algorithm design, this notion is far from having 
a generally accepted, precise definition. It seems to depend too strongly on details 
of both, the computational model, and the input representation. For instance, 
in the case of graph algorithms, linear usually means linear in |F|+|Fj. This 
calls for a different high-level representation of graphs, with a universe which 
consists of both, vertices and edges. Although such representations had been used 

J. Flum and M. Rodriguez-Artalejo (Eds.): CSL’99, LNCS 1683, pp. 322-337, 1999. 

© Springer-Verlag Berlin Heidelberg 1999 



MonadicNLIN and Quantifier-Free Reductions 323 



before, with the graph structure given by the incidence relation (cf. [Cou94]), one 
further idea was needed in order to model linear time on graphs: in [G094,G096] , 
Grandjean and Olive gave a logical characterisation of the class NLIN (linear 
time on nondeterministic random-access machines) on functional structures. 
In this setting, a graph is represented by two functions, head and tail, which 
map edges to their endpoints. This representation corresponds rather closely to 
the adjacency lists used in algorithm design, and Grandjean and Olive showed, 
building on an earlier logical characterisation over strings, given by Grandjean 
([Gra94b,Gra94a,Gra96]), that NLIN contains precisely those sets of functional 
structures which can be defined by formulae of the form 3/Vx(p, where / is a 
list of unary function symbols, and (p is a quantifier-free first-order formula. 

One central motivation for studying logical characterisations of complexity classes 
is the hope that it might be possible to bring tools from logic to bear on complex- 
ity theoretic problems. In an attempt to shed light on the NP vs. coNP problem, 
Fagin investigated the class MonadicNP of those problems which are defined by 
sentences in the logic Monadicifj*-, the restriction of in which second-order 
quantifiers range only over sets, instead of arbitrary relations ([Fag75]). This 
class still contains NP-complete problems, but Fagin showed that it does not 
contain the set of connected graphs (hence is not closed under complement). 

In this paper we pursue a similar programme for NLIN. By restricting the scope 
of the second-order quantifiers in the above formula to sets rather than func- 
tions, we define the class MonadicNLIN, a subclass of NLIN which possesses 
a number of interesting properties: it contains a large number of NP-complete 
problems and consists of precisely those problems which are reducible to GNF- 
SAT by quantifier-free reductions. On the other hand there are computationally 
simple problems not contained in it, notably, as in the case of monadicNP, the 
set of connected graphs. 

In the course of our investigations we have to adapt notions and methods from 
the realm of relational to that of functional structures. This concerns the notions 
of (quantifier-free) interpretation and reduction, which, mainly due to the pos- 
sibility of nested terms, become more complicated in our setting. 

More importantly, however, we also have to deal with the problem of input rep- 
resentation, which cannot be ignored in the context of linear time. In order to 
model the sequentiality of computation, logics which are intended to characterise 
complexity classes, have to make use of some kind of order or successor on the 
input data. If the logic is expressive enough, as in the case of U\, or Grandjean’s 
logic, such an order can be quantified. In the case of weaker logics, however, one 
has to assume the structures to be given with a built-in order. Since we want to 
express properties of structures which are independent of the particular choice 
of an order, in this situation, we usually restrict the logic to order-independent 
formulae: such a formula holds either for all orderings of the structure, or for 
none (cf., e.g., [Imm99]). In our context order-independence is quite a delicate 
notion, since subclasses of linear time are not necessarily entirely independent 
of the input order. When designing an algorithm, we usually assume the input 
graph to be given in some systematic way, e.g., in form of an adjacency list. 
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However, the order in which vertices appear in this input should be irrelevant, 
as long as this systematic form is retained - in the case of adjacency lists this 
means that edges adjacent to one vertex appear in direct succession. We model 
this restriction on the input order with the notion of a compatible successor func- 
tion and require the validity of formulae to be invariant under different choices 
of compatible successors. 

2 MonadicNLIN 

In this section we first specify the signatures a of our logic. Then, we describe 
extensions a' of these signatures with additional symbols interpreted “compati- 
bly” with the original ones and specify the syntax of a MonadicNLIN formula. 

Definition 1 (unary functional structure). 

• A unary functional signature a finite set of function symbols of arity^ < 1, 

• A unary functional structure is a finite structure over a unary functional 
signature. 

In the following “functional signature (structure)” will always mean “unary func- 
tional signature (structure)”. We presume that in every functional signature 
there is at least one constant symbol, nil, and one unary function symbol. If 
there is more than one constant we will use the symbols 0, 1, . . . ,n, with 0 as a 
synonym for nil. 

Examples 1 

1. We view a directed graph as a functional structure whose universe can be 
partitioned into vertices, edges and an element nil, with functions head and tail 
mapping edges to vertices: tail maps an edge to its starting vertex and head 
maps it to its target vertex. Vertices are characterised by the fact tha,t they are 
mapped by head and tail to the constant nil, which we assume to be a fix- 
point of both head and tail. Hence, a directed graph is a aa structure Q - with 
cg := {head, tail, nil] consisting of unary function symbols head and tail and 
constant symbol nil - in which the universe is partitioned by the predicates 
NlL[x) :-f4- head[x)=tail[x)=x=nil , E[x) :-f4 V [head[x)) A V[tail[x)), and 
V [x) :-f4 —iNIL{x) A NILiheadix)) A N I LitaiKx)) . 

2. We view a Boolean formula in CNF as a functional structure whose universe 
can be partitioned into clauses, occurrences, variables and elements 0 and 1 and 
where a function junction maps clauses to 0, variables to 1 and occurences 
to clauses, a function var maps occurrences to variables or to 0 (FALSE) or 
1 (TRUE) and a function neg maps occurrences to {0,1} (positive or nega- 
tive occurrence) . Thus, a Boolean formula in CNF is a ucnf ^structure B, with 
crcNF '■= {junction, var, neg, 0,1}, where the partition of the universe into zero, 
one, variables, occurrences, and clauses can easily be expressed in first order by 
predicates ZERO, ONE, V , C, O . 

^ By “function symbol of arity 0” we mean a constant symbol. 
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Fig. 1. 
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Fig. 2. A CNF-formula and its function graph. The function junction is represented 
by solid, var by dotted, and neg by dashed lines. Function values not shown are all 0. 



3. Boolean formulae in k-CNF, i.e., with precisely k literals per clause, can he 
represented more easily: Here the universe consists ofO, 1, a set C of clauses and 
a set V of variables, and we have k functions fi . . . , fk : C ^ V to indicate the 
variable for each literal, and k functions negi, . . . , negu '■ G -i {0, 1} to indicate 
which variables occur negated. Thus these formulas are akc N F ^structures , with 
signature aj-cNF '■= {fi, - ■ ■ , fk,negi, . . . ,negk,0, 1}. 

We want to define sets of functional structures by syntactic restrictions on 
Grandjean’s logic - which already is quite restrictive. In order to obtain some- 
thing computationally meaningful, we have to provide some means of expressing 
a systematic exploration of the structure. In other contexts, this is usually done 
by a built-in linear order relation; in our functional setting, we use successor 
functions instead. However, not every successor will be equally useful: in order 
to explain our choice of successor, let us look at the example of graphs. Algo- 
rithms on graphs often assume the input to be given in the form of an adjacency 
list, i.e. an array (or a linked list) of pairs (v,l[v)), where each v £V appears 
precisely once, and l[v) is a linked list of all the edges leaving v. Such an adja- 
cency list induces the successor function which starts with the first vertex in 
the main list, after each vertex v enumerates all of l[v) and at the end of l[v) 
continues with the vertex which succeeds v in the main list. If we transfer this 
successor function onto our functional representation of the graph we see that 
it corresponds to the preorder generated by a depth-first traversal of the rooted 
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Fig. 3. An adjacency list representation of the graph of Figure 1 



tree given by the function tail: such a traversal starts at nil, next it will visit 
a vertex, after each vertex v all edges e with tail[e) = v are visited before the 
traversal moves on to some other vertex, and so on. Over graphs, the compati- 
ble successor functions on V \J E will be just those derived in this way from an 
adjacency list representation of G. 

Now the correctness of an algorithm on adjacency lists should not depend on 
the order in which the vertices appear in the main list, nor on the order of any 
of the edge lists. Correspondingly, when describing a graph property by a logical 
formula 4> containing a successor function symbol s we want 

• s to be interpreted by a successor function which corresponds to an adjacency 
list representation 

• 4>’s validity on a given graph G to be independent of which adjacency list 
representation of G is modeled by s. 

When dealing with general functional structures, there is no distinguished func- 
tion - even on graphs we might as well use head instead of tail, which would give 
us a successor corresponding to the dual adjacency list with lists of incoming 
rather than outgoing edges. A further complication arises from the fact that, in 
general, function graphs are not trees but unions of components each of which 
consists of a set of trees whose roots are connected in a cycle. 

The following definitions take this into account. 

Definition 2 (compatible successors). 

Let U be a finite set and let f : U ^ U he a function. 

• Let f define a connected graph F = {(«,/(«)) | m G Uf. Since there is 
exactly one cycle G in F, deleting one pair in G leaves a tree, 

which we denote hy Fw . 

A successor function on U is pre-compatible with f if there is a u' such 

that is obtained hy a preorder traversal of Lfr , i.e., a depth first traversal 
of Lfi which lists the elements of U the first time they are encountered during 
the traversal. 
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• For general f a successor function on U is pre-compatible with f , if 
it is pre-compatible with f on every connected component of F = {(«,/(«)) | 
u € U}. 

• Analogously, a successor function is post -compatible with f if, for 

some u' , it is obtained by a depth first traversal of Fw which lists the elements 
of U the last time they are encountered during the traversal. 

Examples 2 

1. A successor function on the graph of Figure 1 precompatible with tail is drawn 
in Figure f. 




.h) -(a.d) (d.c )-^ — *-i 






{a,b) *{a,d) (d,c)-^ — •■[d,b) < 

Fig. 4. The successor function is shown by solid arcs. 




2. Let B be a {junction, var,neg,0,l}-structure representing a Boolean formula 
in CNF. A successor function s pre-compatible with junction starts with one of 
the elements 0 and 1, If it starts with \, this element is followed by a list of the 
variables followed by the element 0; then the clauses follow but with a list of all 
its occurrences inserted immediately after each clause. If s starts with 0 then the 
parts (1, variables) (0, clause, occurrences, clause ...) are interchanged. 

Definition 3 (MonadicNLIN). Let a be a unary functional signature. 

1. Set := 

I I r ore vost ■ pre pre ■ post post \ n ^ ml •j.i'i l 

a U {Sj^ ^rnaxj^ ^miUj ^rnaxj^ | J G cr, j has arity 1| where 

4.7 pre post ■ pre pre ■ post post m j.- l i m j.- 

the , rmuj^ , rnaxj^ , , rnaxj^ are junction symbols of antics 

1,1, 0,0,0 and 0, respectively. Let cr C a' C and set ci® := cr' \ a. We say 

that a a' -structure A! is a compatible o'-extension of a a-structure A if 

• = U-^ and f-^' = for f £ a and 

• the symbols sj’’' resp. s^°®* in a' are interpreted in A' as successor func- 
tions pre-compatible resp. post-compatible with f and the constant symbols 
rninj’’' ,rnaxj'’' ,rni'nFJ'^*' ,rnaxj'^^' as the respective minima and maxima. 

Let B be a functional structure over the signature a representing a relational 
structure A as in Example 1.1. We will call (cf. Section f) a,ny compatible o' - 
extension B' of B an admissible representation of A. 

2. A o-property V (i.e. a class V of a -structures which is closed under o- 
isomorphisms) is a MonadicNLIN(j,(j' -property, if cr Q C Q q-sh-cc there is 
a second-order formula L>{o'] such that 
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• (p is of the form where X is a tupel o/ unary second-order variables 

and (f) is a quantifier-free a' -formula in the Xi and in one first-order variable 
X and 

• for a,ny a -structure A and a,ny compatible a' -extension A' of A we have 

AeV ^ A' 

3. We write 

• V <E MonadicNLIN(T,(T' ifV is a MonadicNLINtr^tj' -property, 

• V & MonadicNLINf, if V is a MonadicNLIN^^tj' -property for some a' 
and 

• V £ MonadicNLIN ifV& MonadicNLIN^ for some a. 

The name MonadicNLIN and the syntax of our formulae are motivated by the 
logic 3/Vx (j), with unary function variables /, which on functional structures 
characterises NLIN, i.e. non-deterministic linear time on Grandjean’s RAM- 
model, [G096], The restriction to linear time is reflected both by the restricted 
first-order syntax and the use of unary functional structures. We give some evi- 
dence that our restriction to monadic second-order quantification still defines an 
expressive class. 

Proposition 1. 

The following problems are in MonadicNLIN; SCOT, KERNEL, CNE-SAT, 
2EEM^. 

Proof: To illustrate the use of the successors, we sketch the proof for CNF-SAT: 
Let iF be a Boolean formula in CNF. Denote an assignment of truth values by 
a partition of the variables into sets P (truth value 1) and -iP (truth value 0). 
Given a successor function on the occurrences, T € CNF — SAT iff there is P 
and a predicate P(x) (“Red”) on the occurrences such that 

1. in each clause, the first occurrence is red if and only if it is satisfying; 

2. the successor of an occurence o is red if and only if it is satisfying or o is red; 

3. the last occurrence in each clause is red. 

We can express that x is a satisfying occurrence wrt P by a formula satpfx). 
Hence, with a junction-precompatible successor s we can express 1.-3.: 

1. by fiiix) = [Cix) A 0(s(x))] — t [P(s(x)) satp(s(x))], 

2. by <(> 2 (x) = Oix) — ^ [P(s(x)) [satp[six)) V P(x))], 

3. by fiAx) = [(0(x) A C[s{x))) V x = max] — ^ Rix). □ 

3 Quantifier-free reductions and the completeness of 
CNF-SAT 

In this section we define a way to interpret one functional signature r in terms 
of another functional signature a in analogy to the relational interpretations of 
[Gos93]. We derive natural notions of reduction and of MonadicNLIN-completeness, 

^ 2-partition into perfect matchings, cf. [Cre95] 
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and show that MonadicNLIN is closed under these reductions and that CNF- 
SAT is MonadicNLIN-complete. 

We sketch the idea behind our notion of interpretation first: Basically an inter- 
pretation I associates to every function symbol in r a a-term t. Evaluated 
in a given cr-structure A with universe A, t(a) defines the value of g(a) for any 
a € A.^ Thus an interpretation J of r in cr associates to every cr-structure a 
r-structure 1{A). We use two generalisations: 1. The values of g in 1{A) will be 
defined by a case-distinction expressed by cr-formulae (j/"- If for a € A we have 
A \= (jA {o) then we will evaluate a corresponding cr-term A [a) to obtain g{a).^ 
2. We will allow interpretations for which the universe of 1 (A) consists of c copies 
of the universe of A, i.e. consists of elements (a, i),k = Ij •••j c where the constant 
c is given by the interpretation®. In such a case we have to define g on each of 
the c “levels” of the universe of I{A) and want to be able to express that (a, k) 
is mapped to (a', /) on a possibly different level 1. Such a definition is formalized 
by cr-formulae (j>ki and cr-terms tki describing that (/(a, k) = (tki{a), 1) whenever 

A 1= (j)ki{a).^ 

Definition 4 (qfii). Let a and r he functional signatures. A 1-dimensional 
quantifier-free functional interpretation of r in cr or qfR of r in a , for short, is 
a tupel 1 = {c,c,(j),t) where 

• c is a natural number, the length of I • c is a \t\c^ - tupel of natural numbers 
Cgki (g ^ 'k, k,l = 1, . . . ,c), • (f> is a tuple of quantifier-free a -formulae 

(g er; k,l = 1,. . . , c; r = 1, . . . , Cgki) 

- if g has arity 0, i.e. if g is a constant, then the are variable-free for- 
mulae and for any a-structure A exactly one of the fig^kr ^ = E • • • A? 
r = 1, . . . , Cgkk Is true, and 

- if g has arity I, then the have one variable and for fixed k and for 
a,ny a-structure A, the figki; I = I,-- - ,c, r = 1,... , Cgki define a partition 
on the universe of A, i.e. exactly one holds for a,ny one element in the 
universe of A'^ , 

• t is a tupel of a-terms (g <E t, k,l = 1, . . . , c; r = 1, . . . , Cgki ). 

A 1-dimensional quantifier-free functional interpretation defines for every cr- 
structure A a r-structure B := d[A) where (7® := {(a,i) | ® 1 < i < c}, 

a constant symbol g £ t is interpreted by gjs = [a' ,k) iff [A \= figkk 
•A.\= a' = Akki a)) and a function symbol g by gB{{(k, k)) = {a' , V) iff [A \= 4’gki{0') 
and A 1= a"=tl,^fia)). 

® If g has arity 0, t is a closed term. 

^ We will stipulate, of course, that the </>” define a partition on the universe of A, i.e. 

that every a 6 A satisfies precisely one of the (fh . 

® Cosmadakis introduced this generalisation in the relational setting when studying 
Monadic NP, [Cos93]. 

® Again, we have to stipulate that for a given k the define a partition on the 
universe of A. 

® As for the constants, this condition is not meant to contradict the syntactical char- 
acter of the definition: think of the (f>i as of a sequence (f>i A /\i'<i with a final 
catch-all formula V,,-,- 
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Example 1. Consider the well-known reduction from 2-SAT to graphs which 
do not contain certain cycles. Given a formula in 2-CNF, a graph is con- 
structed as follows: For every variable v, there are two vertices, (w, 1), (w, 0), 
(representing v and ->v, respectively), and for every clause c which contains vari- 
ables v^w, there are two edges (c,0),(c, 1): if both variables occur unnegated 
in c, then (c, 0) = ((w, 0), (w, 1)), (c, 1) = ((w, 0), (w, 1)), if v occurs negated, w 
unnegated, then (c, 0) = ((w, 1), (w, 1)), (c, 1) = ((w, 0), (w, 0)), etc. (just view 
these edges as the representation of the two implications equivalent to c). The 



This construction is easily modeled as a qfR of length 2 of aQ in <J 2 cnFi (cf- 
Example 1). We let = (x=0), and define the functions head and tail 

in such a way that, in accordance with the above construction, if both variables 
in c are unnegated then tail[c,0) = (/i(c),0), head[c,0) = (/ 2 (c),!), etc. More 
precisely, our formulae and terms for tail are as follows: (the ones for head are 
formed analogously): 

<PLa, 0,0 = c{x) A negi{x)= 0 , tj^u,o,o{^) = <PLa,o,o = = 

0,1 = C\x) Anegi{x) = l, <AL;,i,o = C\x) Aneg2{x)=t), 

= h{x)ALu,i,o = = C{x)Aneg2{x)=l, 

= f2{x)- 

Definition 5 (qffr((T',r')). 

1 . Let V he a property of a-structures, Q a property of T-structures and 1 a qffi 
of t' in cr' . 

I is a 1-dimensional quantifier-free functional (o', r')-reduction compatible with 
successors (qffr((r', r')) from V to Q if for every a -structure A and each com- 
patible a' -extension A' 

• the t' - structure B' := 1{A!) is a compatible t' - extension of some r-structure 



• AeV iff Be Q. 

2. V is qffr(o', r')-reducible to Q ifP Q) if there is a qffrfafr') from V 

to Q. 

Example 2 (continued) . In order to obtain the mentioned reduction from 2- 
SAT, we extend our graph signature oq by an additional function symbol pair, 
and consider graphs on which pair maps vertices pairwise onto each other, 
i.e., pair[pair{y)) = v, for all vertices v. Interpreting pair[v) by 4>pair 0 = 

<^pair,i,o(a') = ^pair,o,i(a') = ^pair, 1,0 (a') = maps Corresponding ver- 

tices onto each other, and setting 0W,, ^_o(x) = <Plair,o,o{x) = ~-V{x) tl^ir,^ o{x) = 
tpairo o{^') = 0, we make sure that pair maps all other objects onto nil. This 
extends our interpretation to a reduction from the set of satisfiable formulas in 
2-CNF to the set of those graphs with pairing function, in which no pair of 
vertices lies on one cycle. 



clause c = (w V ^w), for instance, is modeled by the subgraph: 







(tc,0) 



B and 



Next we want to prove a closure property of MonadicNLIN wrt qffrs. 
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Proposition 4 Let 1 = be a qjfi of T in a, and let <P = 

3 • • • 3 be a t - formula, where Lp is quantifier- free. Then there is a 

a -formula T>j = 3Y\/y'tp, with quantifier-free f, such tha,t for every a -structure 
A it holds that A\= (Pi 1 (A) |= <P. 

Before proving the proposition, we derive the closure property from it: 

Theorem 1. IfQ& MonadicNLINr,r' and V is a a -property such thatV 
Q then F € MonadicNLINCT^tj'. 

Proof of Theorem 1: Let I be a qffi of t' in cr' and let T> be a A -formula which 
proves Q G MonadicNLIN, Let A be a a-structure and A' be a compatible a' - 
extension of A. Then 1[A!) is a compatible A -extension of some t - structure B, 
and it holds tha,t 

AeV ^ Be Q ^ I{A') ^ A' \=^i. 

Thus d>i characterises V , hence V € MonadicNLIN(j_(j'. □ 

Proof of Proposition 4: 

We want <Pj to hold in M iff holds in I (M) , whose universe consists of c copies 
of A, the universe of A. Therefore, we replace the first-order part of <P,f x cp, by 

C 

the formula f\ with the intention that fj{a) holds in A iff (p{a,j) holds 
i=i 

in I {A). In order to construct fj from cp, we replace every atom by the formula 
which interprets it according to /. Let us first consider an atom without nested 
terms. This can be of one of the following forms. 

— Xi[x). We want to express that {a,j) e Xi. To this end we replace the 

variable Xi by c variables Tii,... , ^ with the intended interpretation 

{a,j) e Xi <^=y a e Yij. Therefore the atom Xfix) is replaced by Yij[y). 

C 

Thus our formula (pj is of the form 3 Yip • • • 3 Yc^n V y A fj. 

— Xiffx), for some f e t. We want to express that f{a,j) e Xi. Since f{a,j) 
may reside on any level k of I {A), we have to consider all these cases. The 
formulae Afjki where A = l,...,c, r=l,..., Cfjj., partition A, so we can 

C Cfjk 

write 

k=l r—1 

— fx = x. This can be true for {a,j) only if f{a,j) also lies on level j, i.e., if 
one of • • • , holds for a. Thus we replace the atom fx: = x;hy the 

formula V («.;„(.«) A 

r=l 

C ^ f j k ^93 ^ 

— /x = gx. This is replaced by Y \J ^ {Afjk{y) AAfjk{y)=tljk{y))- 

k=l r=l 5=1 
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For atoms containing nested terms, the formulae are similar, although more com- 
plex, due to the necessary iteration of case distinctions: e.g., in order to express 
that e(/(a, j)) = g[h{a,j)), we will have to consider all possible combinations of 
intermediate levels, i.e., of the levels of f{a,j) and h[a,j), as well as all possible 
target levels. The following lemma (proof omitted) handles all this. 

Lemma 5. For every r-term t and every j,k < c there are a finite index 
set Rtjkr o'-formulae Xtjk o-terms r € Rtjk, such tha,t for every a- 
structure A and every r-term t: 

1. for every j < c, the sets ({a £ A \ A \= Xtjki'^)})r,k form a partition of A, 
and 

2. for every a £ A, every r, k 

tfA \= xljkXa) thenI{A) |= t{{a,j)) = {sl-,^{a) ,k) ■ 

We can now derive Proposition 4: for each atom which contains t(x), we proceed 
in the same way as in the corresponding atom for fx, but instead of {1, . . . , Cfjk}, 
and we use Rtjk, Xtjk^ 'Xjk^ given by the lemma. □ 

Next, we introduce a notion of completeness for MonadicNLIN. 

Definition 6 (MonadicNLIN— completeness). 

Let Q be a r-property. Q is MonadicNLIN-complete wrt qffrs if there is t F 
t' C such that 

• Q G MonadicNLINi- T-/ and 

• for any a-property V G MonadicNLIN it holds that V <AjXla Q- 

The existence of complete problems allows a succinct characterisation of MonadicNLIN : 
denote by ClrfO.) '■= {V \ V <filL Q} the t' - closure of a T-property Q. 

Proposition 6 Let Q be MonadicNLIN-comp/ete wrt qffrs, the completeness 
testified by a signature t' . Then 

MonadicNLIN = Cl^fQ). 

Proof: Directly from Definition 6 and Theorem 1. □ 

Theorem 2. 

1. CNF-SAT is MonadicNLIN -complete wrt qffrs. 

2. This can be testified by := ctcjvf U 

ProoLBy Proposition 1, CNF-SAT is in MonadicNLIN(j^„p_(j^j^^. For the 
reductions, we follow the standard method of reducing the model class of an 
arbitrary N}— formula T = 3XQ^xi---Q^Xnif{X,x) (with Q* G {3,V} and 
quantifier-free 'tf) in a relational signature a to SAT: there, to any cr-structure 
A is associated a Boolean formula ' ' ' '^aeUpX{Xid,d) where 

G {\J , /\}, the AjO. are understood to be Boolean variables and the remaining 
atoms are assigned truth values according to the evaluation in A. Here, we have 
to show that, if is a MonadicNLIN-formula, an analogous mapping from A' 
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to can be given as a r'), which means in particular that this 

qffr defines a junction-compatible successor function on V’Xg't'- 
Let V be defined by if' = 3Xi ■ ■ ■ 3XiVxi/r(X ,x). We view if' as a formula in 0 -®“°°^ 
even if not all symbols from appear in if'. Wlog we assume that 'tp[X,x) 

S S Pi 

is given in CNF, i.e. tJj[X,x) = A %P{X,x) = AV with clauses 

i=l i=l j=l 

-iA*(N,x) and atomic or negated atomic formulae %l7‘'^[X,x). To define 'i/'xg't'i we 
have to specify its universe and to define the signature {junction, var, neg, 0, 1}U 
{sYunction^ ^^^YYnction} terms of a®"®®; the particulars of this qfR will depend, 
of course, on W. 

For each element a £ A, the target CNF-formula will have a Boolean 

variable v^[a) for every set variable Ng, and a clause Ci[a) for every disjunction 
Ip. A clause cpa) has pi occurences, one for each -ifN Furthermore, there will 
be elements 0 and 1. We therefore take c:=/+s + 2 + "YlYiPi copies of the 
universe. We now have to provide formulae and terms defining the functions: we 
only give two examples here, one for the function var and one for the successor 

pre 

'^junction' 

In the target structure, an occurrence o is represented as a pair (a,h), where h 
encodes the pair {i,j) such that o corresponds to [a). This occurrence can be 
a Boolean variable Xq[b), represented by a pair {b,g). This is the case if 'p^[x) 
is Xq[t[x)), and t[a) = b. For those pairs ij and the appropriate g, we thus 
can write Par,h,g{x) = t[x) without any further case distinction expressed by a 
quantifier-free formula. On the other hand, if [x) is of the form ti(x) = t 2 {x), 
the case distinction ”ti(x) = t 2 {x) or ti(x) p t 2 {x) controls if var maps (a, A) 
to 0 or to 1. 

This example illustrates that for the elements (a, h) of the target structure, 
the index h encodes the syntactical structure of the matrix of W. Accordingly, 
,h,gY) depends on h and g: if, for example, h encodes [i,pi—l) g encodes 
(i,Pi) then the occurrence (a,g) is the direct successor of the occurrence (a. A) 
and, therefore, ^ ,h,gY) = however, A encodes {s,Ps) and g encodes 
1 then tgppp ^ ,h,gY) = suc[x), for some sue € {(j, □ 

We close this section with a result on the transitivity of qffrs. 



Proposition 7 

1. Let a, T and p he functional signatures and Ii he a qffi of t in a and p 
he a qffi of p in t. Then the composition of p and p can he given as a qffi, 
i.e. there is a qffi p from p in a such tha,t for a,ny a-structure A it holds 

that P{A) = p{p{A)). 

2. Let V , Q and TZ he c-.r- and p-properties respectively. 

Ifv <YYY Q and Q 7^ and t' C t" then V 7^. 

Proof: 1. can be checked using Lemma 5, 2. follows easily from 1. □ 
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4 Nonexpressibility results 

In this section, we will show that neither the class of connected graphs nor the 
class of Hamiltonian graphs are in MonadicNLIN. For the proof we will make 
use of Schwentick’s result that, for relationally represented graphs, connectivity 
cannot be defined in monadicifj*-, even in the presence of a built-in linear order 
relation [Sch96], We have to translate this result into our setting, which differs 
from the one of [Sch96] mainly in that here, graphs are represented as func- 
tional structures, in particular, quantification over (sets of) edges is possible. 
Therefore, we will use Schwentick’s result in a more specific form: no formula 
of monadici7j(<, i?) can distinguish the set of all (directed) cycles from the set 
of all disjoint unions of (directed) cycles ([Sch96], Corollary 19).® In a cycle, we 
can represent each edge by its starting point, so quantification over edges can 
be replaced by quantification over vertices.® 

Theorem 3. There is no set of directed graphs in MonadicNLIN which con- 
tains all cycles, hut no disjoint union of more tha,n one cycle. 

Proof (sketch): Let a be the functional signature for graphs (cf. Example 1.1). 
Given a formula = 3Mi ■ ■ ■ 3Mr Vx y(x) over Usucc, we construct a monadici7(- 
formula <P over the relational signature {E,<}, such that the following holds: 
for every cycle graph, i.e. every graph G which is the disjoint union of simple 
cycles, and for every order relation < on the vertices of G, there is an admissible 
functional representation G' of G, such that G" |= iff {G, <) |= <P. It follows 
from [Sch96] that <P cannot distinguish cycles from unions of cycles, hence neither 
can T>. 

Given an order relation < on a cycle graph G we take as functional representation 
of G the unique structure G' , in which all successor functions are in accordance 
with <, i.e., they all induce the order < on the vertices of G. 

When interpreting <P over functionally represented graphs, the variable x can 
be instantiated by vertices and edges (or by nil, but we will ignore this special 
case here). In the target formula (which is to be interpreted over relationally 
represented graphs), we have to express both, the properties expressed by cp for 
vertices, and those for edges. We will use each vertex to represent the egde leaving 
it - which in a cycle graph is unique. Accordingly, we develop two formulas, (y) 
and p^{y) from y(x). In the former, we assume y to represent a vertex, in the 
latter an edge. For every set variable Mi we introduce two set variables, MT , MT , 
where MT [y) is intended to indicate that the vertex represented by y is in the set 
Mi, similarly, M^[y) for the egde represented by y. For the construction of 
and p^ from p we form, for every atom ex which occurs in p{x:), two formulae, 
cx^ and cx^ , which, when interpreted in {G,<) express the same property as 
a does over G' . It will then hold that (G, <) \= 3M\ ■ ■ ■ 3Mr'ixp[x) iff G' \= 
3MY ■ ■ ■ 3M^3M^ • • • 3M^^y{p^{y) A p^^iy)). 

® Although the results in [Sch96] are stated for undirected graphs, the proofs also work 
in the directed setting. 

® This is the reason why we don’t use the inexpressibility result for built-in successor 
[dR87]: the graphs there are more complicated. 
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The construction of cx^ and from a is not difficult, but, due to the many 
different possibilities for a, rather tedious. We therefore only demonstrate the 
idea by way of a few simple examples. We will make free use of abbreviations, 
such as max or <k, the latter denoting the direct successor relation relative to <. 

• Let a be the atom Mi[tail[x)). If x is a vertex then tail[x) = nil. Since we 
can assume, without loss of generality, that nil ^ Mi, for any i, Mi[tail[x)) is 
false, and we set = _L. If x is an edge, then we want a^{y) to hold for the 
vertex y representing x iff a holds for x. Since an edge is represented by its tail 
vertex, we can choose cx^{y) as Mf[y). 

• Let cxix:) be s^°a*(f(sf™j(x))=max^™^. Note that all successor functions alter- 

nate between vertices and edges, the preorder successors start with a vertex and 
end with an edge. Since all successors are compatible with <, rnax^^^^ is the 
edge arriving at the <-maximal vertex, max. Furthermore, in order for a[x) to 
be true, x must be an edge, and then sYJ^i{x) is the vertex b following tail[x) 
in <. is the edge arriving at fe’s direct successor in <, it follows that 

b Cfrnax. Altogether, o;(x) expresses that the edge x leaves the predecessor of the 
predecessor of max, and we obtain cx^{y) = 3 zy <iz <imax (and {y) = _L). 

• For our most complex example, let a{x) be 

Again, if x is a vertex, is the next vertex in the cycle. 

is the edge e = (m,x) which arrives at x, and Sj°((*(e) is u, the vertex preceding 
X in the cycle. Thus {y) = 3u3v[E(u,y) t\E[y,v) Au=v). If x is an edge 
{y,vi) then sYJi{x) is the successor of y in the order <, is 

Z 2 , the successor of in <, therefore sread(^i) is the edge (z3,2^2)- i® 

the successor V 2 of vi in <, s^f^li{v 2 ) is the edge starting from t> 2 ’s successor in 
<, Vs. Thus cx^{y) can be chosen as the formula 

3zi3z23zs3vi3v23vs E{y,vi) Ay<iZi<iZ 2 AE{zs,Z 2 ) A /\ zs=vs. □ 

Corollriry 1. The following sets are not in MonadicNLIN,' 

• CONN, the set of all connected graphs. 

• HAM, the set of all Hamiltonian graphs, 

• EULER, the set of all Eulerian graphs. 

5 Discussion 

Functional structures seem a appropriate representation of pointer structures 
as used in algorithm design: Every object has a finite number of pointers to 
other objects; this can conveniently be modeled by a corresponding number of 
functions. This representation of structures is abstract enough to allow reasoning 
in terms of combinatorial or algebraic structures. On the other hand, it is explicit 
enough to allow algorithmic reasoning without going down to the level of string 
encodings. 

With the notion of a compatible successor we developed a way of ordering the ele- 
ments of a functional structure in a meaningful way, without overspecifying the 
order. Similar to, but somewhat stronger than, the local order on the neighbours 
of a vertex, as used, e.g., in [Cou97], compatible successors enable us to express 
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the systematic exploration of a structure and thus to model algorithms even 
in logics which are too weak to express order. Since some algorithms may use 
several different orders (e.g., adjacency lists according to tail vertices and adja- 
cency lists according to head vertices), we equipped our structures with several 
such successors. Of course, we could have defined MonadicNLIN equivalently 
as MonadicNLINtjsiicc , however, we have several reasons for the introduction of 
intermediate signatures (j'\ 

• Although we have no concrete example, we expect that there are problems 
which can only be expressed in MonadicNLIN with both, pre- and post- 
compatible successor functions over structures in which the function trees 
have unbounded width and depth. 

• The multitude of choices of successor functions (and associated min and 
max constants), for every signature c, reflects the situation in algorithm 
design, where the input representation may vary according to the suitability 
for particular algorithms. Since we have no reason to prefer one successor to 
the other, we leave the choice to the “user” , i.e., to whoever writes a formula. 

• The introduction of a' is suggested by the proof of the closure property 1. It 
means that we only have to interpret those successors which are really used 
in the MonadicNLIN-formula defining the target property. 

• With instead of t' in the definition of completeness, we would not have 
been able to prove CNF-SAT complete, since it seems that not all successor 
functions for CNF-formulas can always be interpreted in a quantifier-free 
way. 

Our notion of quantifier-free functional interpretation and reduction should be of 
use also in other contexts. Being quantifier-free, these reductions are efficiently 
computable, and thus can be used within low-complexity classes, such as DLIN, 
in fact, they are very closely related to the affine reductions of [GS99]. On 
the other hand, they seem powerful enough to simulate most of the sort-lin- 
red notions presented in [Cre95]. Thus our class MonadicNLIN is a logically 
defined analogon to the class of SAT-easy problems investigated there. 
MonadicNLIN is a computationally meaningful class. This is shown by the com- 
pleteness of CNF-SAT, as well as by the definition: MonadicNLIN-algorithms 
have a certain locality, their only means of exploring the structure are the succes- 
sor functions, whereas general NLIN-algorithms can guess arbitrary unary func- 
tions, thus potentially accessing every object from every other object. Beyond 
that, the study of MonadicNLIN suggests notions and methods which seem to 
be of general interest in the logical investigation of functional structures and 
linear time. 

Our negative result in Section 4 shows that, e.g., Hamiltonian graphs are strictly 
harder than satisfiable CNF-formulas: they are not in MonadicNLIN, hence 
not quantifier-free reducible to CNF-SAT. The method used in the proof can 
be generalised into a notion of reduction between sets of relational and sets of 
functional structures. 

We conclude the paper by listing just a few questions that arise directly from 
our work. 
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1. What is the precise computational meaning of the class MonadicNLIN? 
Does it coincide with the closure of CNF-SAT under other, computationally 
defined, reductions? 

2. What is the relation of MonadicNLIN to other monadic logics such as 
MonadicA}-? 

3. What about the expressibility of other logics over functional structures with 
compatible successors? 
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Abstract 

In 1974 Ronald Fagin proved tha,t properties of structures which are in ffV are 
exactly the same as those expressible by existential second order sentences, that 
is sentences of the form 3P(f), where F is a tuple of relation symbols, and f is a 
first order formula. Fagin was also the first to study monadic ffV: the class of 
properties expressible by existential second order sentences where all quantified 
relations are unary. In their very difficult paper [AF90] Ajtai and Fagin show 
tha,t directed reachability is not in monadic ffV . 

In [AFS97] Ajtai, Fagin and Stockmeyer introduce closed monadic MV: the 
class of properties which can be expressed by a kind of monadic second order 
existential formula, where the second order quantifiers can interleave with first 
order quantifiers. Among other results they show tha,t directed reachability is 
expressible by a formula of the form BPVxBPi f, where P and Pi are unary 
relation symbols and 4> is first order. They state the question if this property is 
in the positive first order closure of monadic MV , tha,t is if it is expressible by a 
sentence of the form Qx^Pf, where Qx is a tuple of first order quantifiers and 
P is a tuple of unary relation symbols. 

In this paper we give a negative solution to the problem. 

1 Introduction 

In 1974 Ronald Fagin proved that the properties of structures which are in MV 
are exactly the same as those expressible by existential second order sentences, 
known also as sentences. Such a sentence has the form 3Pf>, where P is a 
tuple of relation symbols and is a first order formula. 

Fagin was also the first to study monadic MV: the class of properties expres- 
sible by an existential second order sentence where all the quantified relations 
are unary. The first reason to study this class was the belief that it could serve 
as a training ground for attacking the ’’real problems” like whether MV equals 

* Research supported by the Polish KBN grant 8T11C02913 



J. Flum and M. Rodriguez-Artalejo (Eds.): CSL’99, LNCS 1683, pp. 338—349, 1999. 
© Springer- Verlag Berlin Heidelberg 1999 




Directed Reachability: From Ajtai-Fagin to Ehrenfeucht-Frai'sse Games 



339 



co-MV: it is not hard to show ([S95]) that monadic TVP is different than monadic 
co-MV. But despite of its simple syntax monadic TVP contains also TVP-complete 
problems, including 3-colorability. 

A big part of the research in the area of monadic MV is devoted to the pos- 
sibility of expressing different variations of graph connectivity. Already Fagin’s 
proof that monadic MV is different from monadic co-MV is based on the fact 
that connectivity of undirected graphs is not expressible by a sentence in mona- 
dic while non-connectivity obviously is. Then de Rougemont [dR87], Fagin, 
Stockmeyer and Vardi [FSV95] and Schwentick [S95] proved that connectivity is 
not in monadic MV even in the presence of various built-in relations. A closely 
related topic is reachability: Consider a graph with two constants source and 
sink. Then it has the property of reachability if there is a path from the source 
to the sink. As observed by Kanellakis this property for undirected graphs is 
expressible in monadic U\. But, as Ajtai and Fagin show in their very difficult 
paper [AF90] directed reachability is not in monadic MV (their proof was then 
simplified in [AF97]). 

As we said, connectivity is not in monadic MV . But since reachability is in 
this class, connectivity is expressible by a formula of the form \lxiy3P(t>. This 
observation leads to the study of closed monadic MV: the class of properties 
expressible by a sentence of the form Q4> where 4> is quantifier free, and Q is a 
quantifier prenex, containing alternating first order and monadic second order 
existential quantifiers. 

In [AFS97] and [AFS98] Ajtai, Fagin and Stockmeyer argue that the closed 
monadic MV is at least as interesting object of study as monadic MV: it is 
still a subclass of MV, is defined by simple syntax, and is closed with respect 
to first order quantification. They consider a hierarchy inside closed monadic 
MV, with respect to the number of alternations between first order and second 
order quantification, and define positive first order closure of monadic fifV, as 
the class of properties expressible by a sentence of the form Qx3P4>, where Qx is 
a tuple of first order quantifiers and P is a tuple of unary relation symbols. They 
show a (very artificial) graph property which is expressible by a sentence of the 
form 3PiQx3P2(f), but neither is not in positive first order closure of monadic 
MV nor is expressible as a Boolean combination of properties from this class. 
They also show that directed reachability is expressible by a formula of the form 
3PVx3Pi4>, and state a question whether it is in the positive first order closure 
of monadic MV. 

In this paper we show how to modify the argument from [AF90] to answer 
the last question negatively. 

2 Ajtai-Fagin Graphs 

In this section we give a very brief sketch of Ajtai-Fagin’s proof of: 

Theorem 1. [AF90] Directed reachability is not expressible by a formula in 
monadic U\. 
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Let 4^ = 3P(f> be a formula of monadic where is a tuple of r unary 
relations. We assume that is a first order formula in the prenex form and that 
this prenex contains r quantifiers. 

In order to show that 4/ does not express directed reachability the authors 
consider, for a given natural number n, a directed graph G defined by the follo- 
wing probabilistic procedure. The set of vertices of G will be L = . . . Wn}, 

with v\ being the source and being the sink. For each 1 < i < n — 1 there 
is an edge in G from Vi to Wi+i. Such edges are called forward edges. For each 
pair 1 < i < j < n there exists, with probability p, an edge in G leading from 
Vj to Vi. The probability p depends only on n and on r. Such edges are called 
hacked, ges. 

It is clear that there exists a directed path from the source to the sink in 
G. Call G/. the graph being the result of removing from G the forward edge 
from Vk to Vkp\. Obviously none of the graphs Gk has the property of directed 
reachability. 

Ajtai and Fagin give a very difficult proof of the following: 

Theorem 2. For every e > 0 and f there exists n such that, with proha, hility at 
least 1 — £ the constructed above graph G has the following property (*): 

(*) For every coloring of G with r colors, there exists a number k .such that 
if we color Gk in the same way as G , then the duplicator has a winning strategy 
in the r -round Ehrenfeucht-Frmsse game on G and Gk . 

See the next Section for a brief introduction to Ehrenfeucht-Frai'sse games. 

Notice, that G and Gk have the same set of vertices so it makes sense to 
talk about ’’the same way of coloring”. Notice also that it follows from the last 
theorem that a graph G with the property (*) exists. From now on we will treat 
G as fixed. 

Once Theorem 2 is proved it is straightforward to show Theorem 1. Suppose 
there is a formula 4x in monadic Ul expressing directed reachability. Since 4/ 
is valid in G there exists a coloring of G satisfying f. Take Gk given by the 
property (*) and color it as G is colored. To get a contradiction we only need to 
show that 4> is valid in the (colored) Gk. But since is in a prenex form with r 
quantifiers this follows from Theorem 2 and Theorem 3. □ 



3 The Games 

The most standard tool in proving results about non-expressibility of properties 
of structures in various logics are Ehrenfeucht-Frai'sse games. The simplest of 
them corresponds to formulae of first order logic. 

Definition 1. Consider the following r-round first order Ehrenfeucht-Fraisse 
game. 

It is played by two players, the spoiler and the duplicator, on two structures 
Go and Gi (it is good to think that Go and Gi are colored graphs, possibly with 
constants ci,C 2 . . . ci) . There are r rounds. In the i-th round, the spoiler selects 
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one point in one of the graphs, and calls this point Pi if it is selected from Gq 
or Qi if it is selected from Gi. Then, still in the i-th round, the duplicator selects 
one point in the other graph and calls it qi, or pi, respectively. 

We say that the duplicator wins, if after r rounds the structures 
Go n {pi,P 2 ■ ■■Pr,c\,cl, and Gi n {qi,q 2 ■ ..qr,c\,cl, . . . cj} 

where c° (cj) is the interpretation of the constant Ci in Go (G\) are isomorphic 
under the function tha,t maps each Pi onto q^. This means that: 

(i) qi = qj (qi = Cj or c\ = c() if and only if pi = pj (respectively pi = c(j or 
c( = c(j) for each i,j, 

(a) for each i the color of pi is the same as the color of qi, and the color of 
c( is the same as the color of cj , 

(Hi) for eachi,j, there is an edge from pi to pj (from pi to cj and so on) in 
Go if and only if there is an edge from qi to qg ( respectively from pi to cj and so 
on) in Gi. 

We say that the duplicator has a winning strategy if he can guarantee tha,t 
he will win, no matter how the spoiler plays. Otherwise we say tha,t the spoiler 
has a winning strategy. 

Theorem 3. The property V is expressible by a first order formula f, with 
quantifier depth r if and only if, for each choice of structures Go and Gi, such 
that Go has the property V and G\ does not have, the spoiler has a winning 
strategy in an r -round first order Ehrenfeucht-Frai'sse game on Go and Gi. 

Definition 1 and Theorem 3 come from [E61] and [Fr54], 

The strategy of the Ajtai-Fagin’s proof above is based on the idea of Ajtai- 
Fagin game: The duplicator selects a graph H with the property V and the spoiler 
colors it with some fixed number r of colors. In his next move the duplicator 
provides a graph F, without the property F and colors it. Then they play an 
r-round first order Ehrenfeucht-Frai'sse game on the colored graphs H and F. 
The winner of the game is the winner of the final Ehrenfeucht-Fra'isse game. 

Lemma 1 is a simple consequence of Theorem 3: 

Lemma 1. A property V is expressible by a formula in monadic Fj if and only 
if there is a number r of colors and a number r of rounds such tha,t the spoiler 
has a winning strategy in the Ajtai-Fagin game with r colors and r rounds. 

Of course there exists also a version of Ehrenfeucht-Fra'isse game good for 
monadic Fj. In such a game on structures H and F the spoiler colors H, the 
duplicator colors F and then they play the standard first order Ehrenfeucht- 
Fra'isse game. With the use of Theorem 3 it is easy to prove the Lemma, which 
comes from [F75]: 

Lemma 2. A property V in expressible by a formula in monadic F\ if and only 
if there is a number r of colors and a number r of rounds such tha,t for each 
choice of structures F and H such that H has the property V and F does not 
have it the spoiler has a winning strategy in the Ehrenfeucht-Frai'sse game on H 
and F with r colors and r rounds. 
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Notice that the last game, unlike the first order Ehrenfeucht-Frai'sse game, 
is not symmetric: in the game on H and F it is only the structure H that the 
spoiler is allowed to color. 

Since in the Ajtai-Fagin game the spoiler colors the structure H before he 
learns what is F it is much easier to show that duplicator has a winning strategy 
in Ajtai-Fagin game than in Ehrenfeucht-Frai'sse game. In particular it is very 
easy to see that for every k it is rather the spoiler than the duplicator who has 
a winning strategy in the Ehrenfeucht-Fraisse game on the graphs G and Gk- 
But the disadvantage of the Ajtai-Fagin game is that it is unclear how it can be 
extended to the situation where the second order existential quantifiers alternate 
with first order quantifiers. In particular the technique of [AF90] and [AF97] 
cannot be used directly even for the proof of the fact that directed reachability 
cannot be expressed by a sentence of the form Vx3P<^, where 4> is first order. 

We will show how to modify the technique of [AF90] so that it can be used to- 
gether with the following Lemma 3, which is a variation of lemmas from [AFS97]. 

Definition 2. By a I — r — r—Ehrenfeucht-Fra'isse game on structures FI and 
F we will mean the following game. First there are I rounds, almost like in 
the first order Ehrenfeucht-Fra'isse game, with the only difference tha,t for future 
convenience we assume tha,t the spoiler selects points in FI in odd rounds and 
points in F in even rounds. Then the spoiler colors H with r colors and the 
duplicator responds hy coloring F with r colors. Finally they play an r-round 
first order game on colored H and F, where the points picked in the first I 
rounds are understood as constants. The winner is the winner of the final first 
order game. 

Lemma 3. A property F is expressible in first order closure of monadic F\ if 
and only if there are l,r and r such tha,t for each choice of structures F and H 
such that H has the property V and F does not have it, the spoiler has a winning 
strategy in the I — r — r— Ehrenfeucht-Frai'sse game on H and F. 

4 Ehrenfeucht-Fraisse Game for Directed Reachability 

In this section we will show how to prove that directed reachability is not ex- 
pressible by a formula in monadic Aj- using Ehrenfeucht-Fra'isse game instead of 
Ajtai-Fagin game. In fact we are going to prove a little bit more: 

Lemma 4. Directed reachability is not expressible by a sentence of the form 
\/z3x\/y3P(l), where f is first order. We assume here that F is a tuple of r unary 
relations and f is in prenex form, with quantifier depth r. 

There are two reasons why we need the Lemma. First is that it will be used in 
Section 5 as the first step of induction (see also Section 6). But for this it would 
be enough to prove the result for sentences of the form \/y3F(f>. The second 
reason is that this restricted case can be considered as an example of almost all 
the tricks needed in Section 5. There we will combine the proof of Lemma 4 with 
induction to prove Theorem 4, the main result of this paper. 

In order to prove Lemma 4 it is enough to show: 
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Lemma 5. For every r,r there exist two graphs Ei and Fi such that Ei has 
the property of directed reachability, E\ does not have this property, and the 
duplicator has a winning strategy in the 3 — f — r— Ehrenfeucht-Frai'sse game on 
El and 

Let us define some notations: 

Definition 3. Let H and 1 he two graphs, each of them with specified source 
and sink. Let c be a natural number. 

1. H 1 is the graph being a union of disjoint copies of H and 1 , where the 
source of H and the source of I are identified and the sink of H and the sink 
of I are identified. The source of H F I is the common source of FI and I 
and the sink of H F d is the common sink of H and 1 . 

2. cH is H F E F ■ ■ ■ F E , where c copies are added. 

3. El is the graph being a union of disjoint copies of E and I , where the sink 
of E and the source of I are identified. The source of El is the source of E 
and the sink of IT I is the sink of I . 

Now we are ready to define the graphs L’ and E, the bricks of all our future 
constructions: 

Definition 4, F = c(G'i F G 2 F ■ ■ ■ Gn) where c is huge enough with respect to 
n,r and r (it will soon be clear how huge it must be) and E = L" F G. 

G and G^ are the graphs from Section 2. 

Clearly, E has the property of directed reachability while L’ does not. Notice 
our mnemonic notation: the letter E is F with an additional edge. One should 
remember that the graph G (and so the graphs G^ and graphs E and L) depends 
on the choice of r and r. 

To explain what are E and E good for we will prove: 

Lemma 6. The duplicator has a winning strategy in the 0 — r — r—Ehrenfeucht- 
Fra'isse game on E and E . 

This Lemma gives a translation of the original proof of the Ajtai-Fagin result 
into the language of Ehrenfeucht-Frai'sse games. 

Proof: 

We describe the strategy of the duplicator. In the first round the spoiler 
colors the graph E. The duplicator analyzes the colored copy of G in E, and 
finds k whose existence is guaranteed by Theorem 2. He takes one of the copies 
of Gj. in E and copies on it the coloring of G in E. Then for each copy of G^ in 
E such that i ^ k,\ie copies its coloring to E . Now he still has many copies of 
Gk to be colored in F . He cannot just copy the coloring of the respective copies 
of Gj. 'm El because he has one of them less in E than in E: we mean the one 
that is already colored as G. 

To overcome this problem the duplicator finds the coloring which is the most 
common among the copies of Gk in E. There are some m > r copies of Gk 
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colored like this (here one can compute c). He colors m — 1 copies of Gj. in F 
with this most common color. Then for each copy of colored in E in a way 
different than the most common one he creates one copy of it in F. 

It is now simple to show (with the use of Theorem 2) that the duplicator 
has a winning strategy in the r-round Ehrenfeucht-Frai'sse game on the colored 
graphs F and F. □ 

Now we define the graphs whose existence is claimed in Lemma 5: 

Definition 5. Let Fi be Ci[FF + FF) and let Fi be + FF. Again Ci is a 
constant which is ’’huge enough” with respect to n,r and r . 

Clearly, Ei has the property of directed reachability and F\ does not. We 
will need names to call parts of and Fi: 

Definition 6. Each copy of FF, or FF or FF in Fi or Fi will be called seg- 
ment. In each segment its first half, and second half are defined in the natural 
way. The point which is the sink of the first half and the source of the second 
half will be called, middle of the segment. 

It is time now for: 

Proof of Lemma 5. We will show a winning strategy for the duplicator in 
the 3 — f — r— Ehrenfeucht-Frai'sse game on Ei and Fi. The first to move is the 
spoiler. He picks a point qo € By symmetry we may think that it is in one 
of the segments of the form FF. The duplicator finds the same point in F\ and 
names it po- Here we use the fact that F\ is a subset of Fi, so he can take ’’the 
same” point. 

Now the spoiler picks the point pi in Fi. There are three cases: 
case 1. The spoiler picks an element pi in the segment FF of F\. 
case 2. The spoiler picks an element pi in one of the segments FF or in one of 
the segments FF of Fi, but not in the one where po is located, 
case 3. The spoiler picks an element pi in the same segment where po is located. 

We only consider the case 1 which seems to be the most difficult one for the 
duplicator. No new arguments are needed for case 2. Also case 3 is easy for the 
duplicator: he takes a proper qi in the same segment where qo is. 

There are two (almost symmetric) subcases of case 1: either pi is in the first 
half (including the middle) of FF, or in the second half Let us consider the 
situation when pi is in the first half of FF. Since pi is an element of a copy of 
graph F the duplicator wants qi to be also an element of some copy of F. So he 
takes one of the segments in F\ which is of the form FF and chooses qi to be 
an element of the first half of it. More precisely, the duplicator chooses qi to be 
the same element of (this another copy of) F as pi is. 

Now the spoiler picks a point q 2 in Fi. There are three subsubcases: either 
he takes a point in the same segment where qo was picked, or in the one where 
qi is, or in still another one. In the last case the duplicator finds in Fi a new 
copy of the segment where q 2 was taken from, and chooses p 2 to be the same 
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as (/2 element of (different copy of) the segment. In the first (subsub) case the 
duplicator chooses as </2 a proper element of the copy of EF where qo is located. 
In the second (subsub)case there are again two possibilities. First is that Q2 is 
in the first half (including the middle) of the segment. So </2 is an element of 
the same copy of F as qi is. Then the duplicator chooses as p2 the same as (72 
element of the copy of F in which pi was picked. The second possibility is that 
(/2 is taken by the spoiler from the second half of the segment where qi is. Since 
qi and <72 are in the same segment the duplicator would like to keep p2 in the 
same segment as pi. So he must pick a point in the second half of the segment 
where pi is located. The half where (72 is picked is a copy of F and the half where 
the duplicator wants to place p2 is a copy of F. Since F is a subset of F it makes 
sense to say that duplicator chooses p2 to be the same point in this half as (72 is. 

Now the coloring round. All the (sub)cases are similar. We show how the 
duplicator can win if pi and P2 are in two halves of the segment FF. The first to 
move is the spoiler who colors the graph Fi. Now the duplicator colors Fi. First, 
he copies to the segment of F\ where qo is located the coloring of the segment 
in Fi where po is. It is easy since the two segments are isomorphic. Also, he 
copies to F\ the coloring of the segments of the form FF in Fi (one copy for 
each of them). Then he colors the copy of F where qi is, in the same way as 
the copy of F in which pi is located is colored in To color the second half 
of the segment with <71,(72 he needs something different than just copying: this 
is because this second half is F in Fi and F in F\ . He starts from copying the 
coloring of the copy ol Gj. where P2 is located to the copy of Gj. where <72 is. 
Then, for the remaining nodes of the half he uses the method from the proof of 
Lemma 6. To finish he needs to color the remaining segments of the form FF 
in Fi- Like in Lemma 6 he cannot just copy the colorings from the respective 
segments in Fp. there is one less non-colored segment in Fj now. So again he 
finds the most common coloring of segments of the form FF in Fi. Since ci is 
huge enough there are m > r segments colored with the coloring. The duplicator 
colors like this m — 1 copies of FF in F’2 . Then he makes in F j one copy of each 
of the FF segments colored in Fj in a way different than the most common. 

It is easy to show (with the use of Theorem 2) that after the described 
coloring the duplicator has a winning strategy in the remaining r— round first 
order Ehrenfeucht-Frai'sse game. □ 



5 Positive First Order Closure of Monadic 

In this section we prove the main result of this paper: 

Theorem 4. Directed reachability is not expressible by a formula in the positive 
first order closure of monadic F\. 

Proof: Fix l,r and r. By Lemma 3 it is enough to show that there exist 
structures F-j and FJ ^,rj such that Fj has the property of directed reach- 
ability, FJ r r does not and that the duplicator has a winning strategy in the 
I — r — r— Ehrenfeucht-Fra'isse game on Fgr^r and Fi^f^r- 
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Definition 7. Let Eq be the E from Section f and Eq be the E from Section f. 
For i > 1 we define Ei^i as Ci^i[EiEi + EiEi), and Ei^i as Ei^i + EiEi, where 
Ci^i is huge enough with respect to n,r and r. 

As we said in Section 2, the graph G, and so the graphs Eq and Eq, depend 
on r and r. 

Again it is clear that E^^i has the property of directed reachability and that 
Ei^i does not have it. 

Definition 8. Each copy of EiEi, or EiEi or EiEi in Ei^i or Ei^i will be 
called, i-segment. In each i-segment its first half, and second half are defined in 
the natural way. 

Definition 9. Assume a tuple of points Pi,P 2 , ■ ■ ■ Pk is selected in Eq, and a 
tuple of points qi,q 2 , ■ ■ - Qk is selected in Eq. We say tha,t the two tuples are 1- 
corresponding if there is an automorphism f of Fo, such that f{qi) = Pi for each 

i. In other words, this means that if qi is located in some copy of Gg in Eq, for 
some i and s, then pi is the same point of some copy of Gg in Eq, and that qi 
and qj belong to the same copy of some Gg in Fq if and only if pi and pj belong 
to the same copy of some Gg in Eq . 

Definition 10. Assume a tuple of points p\,p 2 , ■ ■ - Pk is selected in Ei (or Ei), 
and a tuple of points qi,q 2 , ■ ■ ■ qk is selected in another copy of Ei ( respectively 
Ei). We say tha,t the two tuples are i-corresponding if there exists an isomorphism, 
f between the two copies, such tha,t f{pj) = qg for each I < j < k. 

Definition 11. Assume a tuple of points pi,p 2 , ■■■ Pk is selected in Ei^i, and 
a tuple of points qi,q 2 , ■ ■ ■ hk is selected in Ei^i. We say that the two tuples are 
i + I -corresponding if the conjunction of the following conditions holds: 

1. If Pj is in the first (second) half of some i-segment then qg also is in the first 
(second) half of its i-segment. 

2. The points pg^ and pg^ are in the same i-segment if and only if qg.^ and qg^ 
are in the same i-segment. 

3. If pj , , . Pj^ are in the same half of some i-segment ( tha,t is in some copy 

of Ei or Ei ) then qg.^ ,qg^,... qg^ are also in the same half of some i-segment 
( this follows from (2)) and the tuples pg , , pg ^ , . . . pg,, and qg, ,qg^,... qg^ are 
i-corresponding. 

Lemma 7. Suppose k < I and the tuples of points Pi,P 2 ,---Pk W 
qi,q 2 , ■ ■ ■ qk in Fi are i-corresponding. Then for every coloring of Ei there exists 
a coloring of Fi, such tha,t the duplicator has a winning strategy in the r -rounds 
Ehrenfeucht-Frai'sse game on the colored structures Ei and Ei with I constants 
interpreted in Ei as p\,p 2 , ■■ - Pk nnd in Ei as q\,q 2 , ■■■ qk. 

Proof: Induction on i. 

If i = 1 then one can use the argument from the end of the proof of Lemma 5. 
We leave it to the reader. Notice that this argument requires an easy modification 
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to take care about the constants. One should remark here that the ’’huge enough” 
Cl depends on I, the number of constants in the tuple. This is the same I as in 
Ei^f^r and in the beginning of this section. 

Now the induction step. Assume that the claim holds for some i and consi- 
der the graphs and Ei^i with i + f-corresponding tuples Pi,P 2 , ■ ■ - Pk and 

qi,q2,---qk 

This is how to color Ei^i for a given coloring of Ei^p 

For any i-segment in Ei^i which contains some pj^^ppj ^,. . -Pj^ color the i- 
segment in Ei^i containing qji,qj 2 , ■ ■ ■ qjs in the way given by the induction 
hypothesis. This is possible since the subset of pj^ , pj^ , . . . pj^ in the first (second) 
half of the i-segment and the subset of qj-^ . . . qj^ in the first (second) half of 
the i-segment are i-corresponding. 

Then, if none of pj was in the segment EiEi of Ei^i then take one of not yet 
colored segments E^Fi of copy to it the coloring of the first half of EiEi 

and use the hypothesis to color the second half. 

What remains to be colored is some number of segments of the form EiEi 
and EiEi in Ti+i. For this we use the fact that ciyi is huge enough and the trick 
with the ’’most common color” from the proof of Lemma 6. 

Now the strategy for the duplicator in the r-rounds Ehrenfeucht-Frai'sse game 
is inherited from the strategies existing by the hypothesis for each of the games 
on each half of an i-segment respectively. □ 

Lemma 8. Consider the following game between the spoiler and the duplicator: 
in every odd round the spoiler picks a point in Ei and the duplicator responds 
with a point in Ei and in every even round the spoiler picks a point in Ei and 
the duplicator responds with a point in Ei. The duplicator wins if the tuples 
Pi,P 2 ,---Pk in Ei, and qi,q 2 , ■ ■ ■ qk in Ei, of points picked in rounds 1,2, ... k 
respectively, are i- corresponding. 

Then for every i the duplicator has a winning strategy in a game with 2i + 1 
rounds. 

Proof: Induction on i. 

If f = 1 then the claim follows from the proof of Lemma 5. 

For the induction step, assume that the claim holds for some i and consider 
the graphs Ei^i and . We want to show a winning strategy for the duplicator 
in a game with 2i + 3 rounds. In the first round the spoiler takes a point qi in 
Ei^i, for example in one of the i-segments of the form EiEi. The duplicator 
responds with pi being the same point in Ei^i. Then the spoiler can pick a 
point p 2 in Ei^i. The only interesting case is when the point is in the i-segment 
EiEi. Suppose p 2 is in the first half of EiEi. Then the duplicator finds a copy 
of EiEi in Ei^i, but a different one than where qi is located in, and chooses q 2 
to be the same point in the first half of the copy of EiEi as p 2 is in the first half 
of EiEi. 

In the remaining 2i + 1 rounds the duplicator can in most of the cases answer 
the moves of the spoiler in isomorphic halves of i-segments. In those cases he 
easily wins. The only action of the spoiler which could require more care from the 
duplicator is when he takes his points from the second halves of the i-segments 
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where P 2 and </2 £^re located. This is since the half is a copy of T’j in and a 
copy Fi in Fi^\. But there are only 2i + 1 rounds left now, so winning strategy 
for the duplicator exists by the hypothesis. □ 

Now, take ^ = Fi and Fi^f^r = Fi. Theorem 4 follows from Lemmas 7 
and 8 □ 

6 Remark 

The existence of graphs Hi and H 2 such that Hi has the property of directed 
reachability, H 2 does not have it, and the duplicator has a winning strategy in 
the 0 — r — r— Ehrenfeucht-Fra'isse game on Hi and H 2 follows from Theorem 1 
and Lemma 2. Moreover, as it was proved by R. Fagin [F97] we can take Hi to 
be a path (from source to sink) with backedges, like in the proof of Theorem 1. 
Then H 2 can be defined as the result of removing one forward edge from Hi. 

This fact could be used as induction basis in our proof, instead of Lemma 4. 
Definition 4 would be skipped then: the bricks of the whole construction would 
be the unknown graphs Hi and H 2 instead of F and F. It is funny to see how 
little we need to know about the actual structure of Hi and H 2 - We do not even 
need to require that they have the same sets of vertices. 

The remark above is almost obvious, and I am ashamed to admit I only have 
learned it from a letter that Ronald Fagin wrote to me after reading the first 
version of this paper. Also one of the anonymous referees suggested removing 
Lemma 4 and using Hi and H 2 as the basis of induction. 

Nevertheless I decided not no reorganize this paper. This is first of all because 
I find the construction of F and F in Definition 4 very nice. Another reason is 
that this would require concentrating all difficulties inside the induction step, 
what would make the paper harder to read. 
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Abstract. Drawing on an analogy with temporal fixpoint logic, we re- 
late the arithmetic hxpoint dehnable sets to the winning positions of 
certain games, namely games whose winning conditions he in the diffe- 
rence hierarchy over E 2 . This both provides a simple characterization of 
the fixpoint hierarchy, and rehnes existing results on the power of the 
game quantiher in descriptive set theory. 



1 Introduction 

For several decades, games have been an essential tool for the study of logic, 
both in mathematical logic and more recently in computer science. Perhaps the 
most developed application in computer science logic is the use of Ehrenfeucht- 
Fraisse games for first-order logic, and the refinements such as pebble games 
which correspond to finite variable fragments. However, games are also useful in 
temporal logic, and in particular for the modal mu-calculus. The ability to switch 
one’s point of view between logics, automata and games facilitates many results. 
In particular, the semantics of the modal mu-calculus can be described by means 
of a parity game, that is, a game in which the winning condition concerns the 
parity of the highest index seen infinitely often in the game. This presentation 
is equivalent to a presentation via alternating Rabin automata, or via tableaux. 
In modal mu-calculus, a key issue is the alternation of minimal and maximal 
fixpoints; in automata, this corresponds to the Rabin index, and in normal form 
parity games it corresponds to the number of indices. 

Games, in the form of Gale-Stewart games, also play an important role in 
descriptive set theory: they provide a tool with which many of the structure 
theorems of the classical and effective Borel and Lusin hierarchies can be obtai- 
ned. The game quantifier Q takes a game, defined by its set of winning plays, 
and returns the set of winning positions; the power of this quantifier is the object 
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of our study. Kechris and Moschovakis showed that a game has a II]; set of 
winning positions; and Robert Solovay showed that the set of winning positions 
of a S2 game is S]-inductive. Thomas John studied S3 games, and the charac- 
terization is complex, involving higher-type recursion and certain levels of the 
constructible universe. 

If one looks at the previous paragraph with fixpoint glasses on, one notices 
that If] is Il]-inductive, that is, on the first level S]* of the fixpoint alternation 
hierarchy of arithmetic with fixpoints; and that S]-inductive is the second level. 
It is then natural to ask whether this is coincidence, or whether there is, in 
arithmetic, a nice relationship between fixpoint alternation and some hierarchy 
of games, mediated by the game quantifier. One might initially speculate that 
S° games have winning positions, but alas this cannot be true. However, 
the world of Rabin automata and modal mu-calculus provides a suggestion: the 
complexity of the Rabin or parity condition corresponds to the complexity of 
the winning plays, and since the modal fixpoint alternation is correlated nicely 
to that, the next obvious thing to do is to try to find a notion of complexity 
in arithmetic that corresponds to the Rabin index, and then hope that the 
correlation still holds in the rather different world of arithmetic. The result of 
such an exploration is that fixpoint complexity of winning positions does indeed 
correspond to a natural fine hierarchy of arithmetic, in a way that matches well 
with the finite automata world; and although the result is pure descriptive set 
theory, the games used in its proof are natural analogues of games developed for 
the automata and temporal logic world. In fact, the games were formulated in 
order to establish the modal mu-calculus fixpoint alternation hierarchy with the 
assistance of descriptive set theory; so it is pleasing to go back and use them to 
obtain results in descriptive set theory. 

2 Preliminaries 

2.1 Notations and Basic Definitions 

oj is the set of non- negative integers; variables range over oj. The set 

of finite sequences of integers is denoted oj*] finite sequences are identified with 
integers via standard codings; variables m,u range over oj* . The set of infinite 
sequences of integers is “cj; variables a,j 3 range over “cj. For a € “cj, a[i) 
is the i’th element of a, and a[<i) is the finite sequence (o;(0),. . . ,o;(i — 1)). 
Concatenation of finite and infinite sequences is written with concatenation of 
symbols or with •, and extended to sets pointwise. 

We consider (only) spaces that are the product of copies of "cj and cj; they 
are given the product topology, where oj carries the discrete topology and “cj 
itself carries the infinite product topology (in which the basic open sets are the 
sets u-'^oj for every finite sequence u). A pointset P is a subset of such a space X; 
we write variously P[i, a) or (i, a) € P if X is, for example, u> x “cj. A pointset 
is semi-recursive or X] iff it is a recursive union of basic opens, in other words 
given by a semi-recursive set of prefixes: in particular, a pointset F C “cj is X] 
iff P = IJj ) where Nk denotes the basic neighbourhood Uk ■ “cj for some 
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recursive enumeration k ^ uj. oi the finite sequences w* , and e is a recursive 
function cj — t cj, otherwise known as a recursive element of "cj. A pointclass 
is a set of pointsets; if A and A' are pointclasses, then A f\ A' is the pointclass 
{ PC\F' I A" € A, P' € A' } and similarly for V and if A is a pointclass on cjx X, 
then 3“ A is the pointclass { Q C X | 3P € A. x € Q O 3i. (i, x) € P }; similarly 
for 3 The Kleene pointclasses (the arithmetical and analytical hierarchies) are 
defined by H) = -X); = 3“li°; Xj = X°; X)+i = 3"“ll); A} = ^ n 11}. 

Pointsets in the Kleene pointclasses are definable by formulae of first- and second- 
order arithmetic in the usual prenex normal form. 

For completeness we recall that the boldface classes are given by: X® is the 
class of open sets, and then similarly to the lightface classes; however, we are 
here concerned mainly with the lightface classes. 

Ordinals are ranged over by variables 

An (oj-)tree is a prefix-closed subset of oj* . If T is a tree, a is an infinite 
branch off/' iffVi. o;(<i) G T. The body [P] ofT is the set of its infinite branches. 
T is recursive (etc.) iff it is recursive (etc.) as a subset of u> via the coding of 
sequences. The following standard fact will be useful: 

Lemma 1. If P P “cj is 11)*, then there is a li} tree T such that a e P a e 
[P], 

Proof. If P is li}, by definition it is “'Uj ^e{j) = Plj ^e{j) some recursive e. 
Put T = (v I yj.v ■ "cj C }. If q; G P, then Vi.o;(<i) G T; conversely, if 
a ^ P, then a G Nk some k, and then there is a prefix «(<*) G Nk- Finally, T is 
II]* since the test ‘u • “w C ’ is recursive, reducing to ‘w does not have Mfc(j) 
as a prefix’, where is as above. 

2.2 Gale— Stewart Games 

An infinite game of perfect information, or Gale-Stewart game, on tv, is played 
between two players, Abelard and Eloise. The players take turns, starting with 
Eloise, to choose a number, so defining a play as an infinite sequence a G “cj. 
The game is defined by a winning condition P C “cj, a set of sequences; if a G P 
(we write also P[a)), then Eloise wins the play, otherwise Abelard. A strategy 
for Eloise is a function from partial plays where she is due to move, i.e. finite 
sequences of even length, to integers, telling Eloise her next move. A winning 
strategy for Eloise is one such that if she follows it, she is guaranteed to win the 
game no matter how Abelard plays. If u is a partial play in the game P, then 
P[m] denotes the game {a \ ua G P}. A winning position for Eloise is a partial 
play u of even length from which Eloise has a winning strategy for P[m]; thus 
Eloise has a winning strategy for the game, or wins the game, iff () is a winning 
position for her. 

It is frequently convenient to relax the definition to allow games with rules 
which constrain the choices of the players, and games where the players’ turns 
need not strictly alternate. This is harmless provided that the rules and the turn 
function are recursive in the partial plays. 
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For our purposes, it is also useful to permit finite plays where Eloise wins 
outright at a particular point. A game with such plays can easily be modified 
to a game with only infinite plays; an important point for us is that we shall 
always have recursive winning conditions on finite plays. 

A game is determined if one or other player wins it. By a celebrated theorem 
of Martin, all games with A} winning conditions are determined. However, Wolfe 
much earlier proved determinacy for S 2 games, and it is a generalization of this 
proof, far easier than Martin’s theorem, that will give us our result. 

It is convenient to define cogames in which Abelard moves first. Now we can 
extend the definition of Eloise winning position to partial plays u of odd length 
by saying that m is a winning position in the game P iff Eloise wins the cogame 
P[u]. 

If P C ^uj X X, then for each x € X the set {ex \ (o;,x) € P} defines 
a game (we call it P[a,x)). The game quantifier^ is defined thus: Qa.P[a,x) 
is the set {x | Eloise wins the game P(o;, x) }. Although formally defined in 
terms of strategies, it is intuitively understood as an infinite string of first-order 
quantifiers: 

Bag. Vai. Ba^. Vug. . . . P(aoc*i • • • , x). 

Let P be a pointclass on “cj x X; then QP is the pointclass 

[Q CX\BP e P.Q = Qa.P{a,x) }. 

The following standard fact (see [6]) will be required: 

Lemma 2. If P is a determined pointclass dosed under recursive substitution, 
then ~iQP = Q~'P . 

2.3 Mu- Arithmetic 

In [5] Robert Lubarsky studies the logic given by adding fixpoint constructors 
to first-order arithmetic. This logic is also known as LFP in finite model theory, 
where it is most studied. The logic (‘mu-arithmetic’ for short) has as basic sym- 
bols the following: function symbols /, g, h; predicate symbols P, Q, R; first-order 
variables x,y,z; set variables X,Y,Z; and the symbols V, A, 3, V, /x, As 

with the modal mu-calculus, -1 can be pushed inwards to apply only to atomic 
formulae, by De Morgan duality. 

The language has expressions of three kinds, individual terms, set terms, 
and formulae. The individual terms comprise the usual terms of first-order logic. 
The set terms comprise set variables and expressions g[x,X).(f> and v[x, X) . cf>, 
where X occurs positively in ej). Here /x binds both an individual variable and 
a set variable; henceforth we shall often write just pX. <p, and assume that the 
individual variable is the lower-case of the set variable. We also use /z/ to mean ‘/x 
or le as appropriate’. The formulae are built by the usual first-order construction. 

As Springer now like to have HiLX source, the notation in this version of the paper 
is constrained by the commonly available packages. Readers who want real notation 
should see the version on my home page http://www.dcs.ed.ac.uk/home/jcb/. 
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together with the rule that if r is an individual term and S’ is a set term, then 
r € S’ is a formula. 

This language is interpreted over the structure lo of first-order arithmetic. 
The semantics of the first-order connectives is as usual; r € S’ is interpreted 
naturally; and the set term /xX. 4>{x,X) is interpreted as the least fixpoint of the 
functional X {rn £ u> \ (f)[rn, X) } (where X C u>). 

Mu-arithmetic has a prenex normal form [5,2] of the following shape: 

G G ^ ■ ■ - Ti G fJ^Xi. (f) 

where (p is first-order — that is, a string of alternating fixpoint quantifiers, and 
a first-order body. If we refer to a formula in normal form, we shall refer to its 
components by this notation. 

We define levels of the fixpoint alternation hierarchy similarly to the Kleene 
hierarchies: first-order formulae are S(( and II((, as are set variables. The 
formulae and set terms are formed from the S]]; U formulae and set terms by 
closing under (i) the first-order connectives and (ii) the formation of fiX. (p for 

^ € ^n+l- 

A set A G cj is if x G A r(x) G E{x) for some set term E. Note 
that this does not mean that A is a fixpoint, only that A is definable via a 
fixpoint. 

A set corresponds to a set definable by an inductive definition over an 
arithmetic predicate; hence by Kleene’s theorem, Sj* is equal to II}. The higher 
levels of the fixpoint hierarchy have been characterized by Lubarsky [5] in terms 
of large admissible ordinals involving a generalized reflection principle, devised 
for the purpose, and whose essential content is the iteration of the idea 11} = 
Il}*-7AiI = (El on A}); however, there has not been a simple characterization 
in terms of existing notions. 

2.4 Rabin Conditions and Prurity Games 

Consider a (non-deterministic) finite automaton on which Eloise and Abelard 
play a Gale-Stewart style game by alternately choosing next states. A Rabin 
condition is a winning condition for the game of the following form: 

\J {coGi A -lOoAi) 

l<i<n 

where and Ri are subsets of states, and ooA means that the set A is met 
infinitely often during the play, n is the Rabin index. 

These alternating Rabin automata are important in temporal logic, as they 
are one characterization of modal mu-calculus. They are equivalent to alternating 
parity automata: a parity condition has the form ‘for given sets Ai, 1 < i < n, 
of states, the greatest j such that Xj occurs infinitely often in the play, is even’. 
The relationship between parity automata and modal mu-calculus is direct [4], as 
the parity condition corresponds to the statement ‘the highest fixpoint variable 
regenerated infinitely often is a maximal fixpoint’. 
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The Rabin index, or the number of sets in a parity condition, correspond to 
the fixpoint alternation in modal mu-calculus, and it is this that inspires both 
our question and its solution. (Niwihski [7] gives a survey of all the concepts 
mentioned here, as part of a study of fixpoint operators on trees.) 

3 Games for Mu-Arithmetic 

The familiar Ehrenfeucht-Frai'sse games for first-order logic are used to distin- 
guish structures; one can also define model- checking games or semantic games 
where the object is to determine whether 4>{x) holds for a formula 4> and element 
X of a given structure. For first-order logic, the game may be defined thus: given 
a formula 4> and a structure T, a position in the game is a subformula 'tjj of (f) 
and a valuation of the free variables of ify by elements of T. If is a conjunction, 
then it is Abelard’s turn, and he chooses a conjunct; if a disjunction, then Eloise 
chooses a disjunct. If %l) = Bx.tp', then Eloise chooses a value for x and play 
moves to 'ip'; and dually for \lx.%p'. Play terminates at atomic formulae P{x); 
Eloise wins the play if P{x) holds of the chosen values for x, Abelard otherwise. 
It is a standard theorem that Eloise wins the game iff (p is true. (If (p itself has 
free variables, there is one game for each valuation of them.) 

Remark 3. Traditionally, the valuation of variables is not explicitly encoded in 
the position, but read off from the history. This is a vital distinction in the finite 
model theory use of games, since we do not wish to assume that we can keep 
arbitrary amounts of information. The notion of pebble game was invented in 
order to encode the variable assignment in the position, and then the number 
of pebbles (variables) can be limited, so that we can ask ‘is there a winning 
strategy using only the bounded history information available?’. However, we 
are working in arithmetic, so we have all the coding apparatus we want, and 
may as well carry the assignment with us; it is purely a matter of convenience. 

Games have been extended to LFP in the world of finite model theory, by 
choosing a candidate fixpoint set X when one passes through a fixpoint operator. 
Uwe Posse [1] has used such games to obtain expressivity results on fragments 
of LFP. However, such a game is undesirable in arithmetic, since it has second- 
order positions. A more useful game for mu-arithmetic is defined by adapting 
the game for parity automata or modal mu-calculus: instead of finite plays, one 
now has infinite plays, and the winning condition is given by a parity condition. 

Given a formula of mu-arithmetic (or indeed FOL with fixpoints in general), 
the model-checking game has moves as for first-order logic together with the 
following rules for the fixpoints: if the position is r € p/^x, X). <p, then play 
moves to the position <p with x valued at the current value of r. It does not 
matter who moves, but for definiteness say Eloise moves for p and Abelard for 
V. If the position is r € A, where X is bound by p/[x, X). <p, then again play 
moves to <p with x valued at the current value of r, and we say that we have seen 
X . It remains to define the winning conditions: if play terminates, the play is won 
as for first-order logic; if the play is infinite, then Eloise wins iff the outermost 
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fixpoint variable seen infinitely often is maximal. If we start with a formula in 
normal form, then this is exactly a parity condition. We have 

Theorem 4. A formula 4 >{x) of mu-arithmetic holds for some valuation of x 
exactly if Eloise has a winning strategy for the model- checking game for 4> with 
the given initial valuation. 

Proof. A full proof of this theorem is quite long; however it is strategically the 
same as the corresponding proof for modal mu-calculus and parity games. It is 
also the essential content of Theorem 5 of [2]. Therefore I shall not give the proof 
again here. □ 

4 The Power of the Game Quantifier 

Suppose that a winning condition P[a,x) for a Gale-Stewart game has a given 
descriptive complexity: what is the descriptive complexity of Qa.P{a,x)7 If the 
winning conditions are in the analWical hierarchy, then this is a question intima- 
tely related to the structure theory of the hierarchy, and a question that depends 
on hypotheses outside ZFC, in particular, the hypothesis of Projective Determi- 
nacy (that all projective games are determined). Given PD, the answer is quite 
simple for analytical games: and dually, so 1/ is a ‘hermaphrodite’ 

second-order quantifier. 

If the winning conditions are below A];, then determinacy is not an issue, and 
one can expect unequivocal answers. However, the game quantifier turns out to 
be quite delicate. The first answer was: 

Theorem 5 (Kechris— Moschovrikis). QTPi = H} 

Later, Robert Solovay (unpublished, cited in [6], q.v. also for the previous 
theorem) characterized S2 games, based on Wolfe’s proof of the determinacy of 
H2 games. 

Theorem 6 (Solovay). = 'P\-IND (that is, sets given via an inductive 
definition over a Ll} predicate). 

A decade or so later, the next step was taken by Thomas John, who studied 
S3 games. Unfortunately, the characterization is complex: it involves capturing 
the levels of Gbdel’s L at which winning strategies can be found, and is given 
in terms of higher-type recursion. This appears to be inevitable: the proof of 
determinacy for S3 proceeds via games in which the positions are themselves 
games. 

There are no published results on S4 or beyond. 

As was remarked in the introduction, H} is also H1-IND; or in terms of the 
fixpoint hierarchy, Sf). Then E\-IND is just S2 . We then naturally ask whether 
S(( = QX for some natural class X. The conjecture that immediately comes to 
mind is S(( = US° ; unfortunately, the complexities of higher-type recursion are 
not so easily banished. In fact, the game semantics of mu-arithmetic shows that 
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Theorem 7 . For all n, C where V2 denotes the boolean closure of 

Proof. Consider a mu-arithmetic formula in normal form; wlog, consider the case 
of odd n. The winning condition for the associated game comprises a recursive 
part dealing with the finite plays, and a parity condition dealing with the infinite 
plays. The parity condition says that in a play a, the highest Xi seen infinitely 
often is maximal, i.e. i is even. In other words, the condition is 

^CoXn A (ooX„_i V (-' 0 oX „_2 A 0oX„_3 V (. . . 00X2 V -'OoXi) . . .)). 

Now, the statement ‘Xi is seen at position j of the play o’ is a recursive predicate 
of a; and the statement ooXi is just Vj. 3 A; > j. ‘Xi is seen at k\ which is II2. 
Therefore the entire condition is a boolean combination of II2 and S2 statements, 
Q.E.D. □ 

One may equally well use a Rabin condition, although this is less natural. 

At this point, it seems ‘obvious’ that the argument should also run backwards. 
However, model-checking games are a very restricted format of games, and the 
statement ooXi is apparently a rather restricted form of H^ statement about a 
play a; we wish to make a statement about arbitrary V2 winning conditions. 
Thus the obvious statement requires some work to prove. The first step is to 
choose the appropriate fine hierarchy within V2. One may here choose to follow 
the pattern of Rabin conditions: by using disjunctive normal form, it is trivial 
that formulae of the shape Vi(^2 ^ ^^2) ^ normal form for V^. However, 

it is easier and more elegant to follow the pattern of parity conditions, and use 
a hierarchy known as the difference hierarchy (over S2). Difference hierarchies 
over open sets have been studied long ago in classical descriptive set theory; 
more recently Victor Selivanov has, in a series of papers, made a study of an 
abstract fine hierarchy which subsumes, in a certain sense, difference hierarchies: 
applications include simpler proofs and refinements of Wagner’s hierarchies of 
cj-regular languages [ 8 ]. However, we shall not need any of this more general 
theory; let us just define the hierarchy we need. 

The difference hierarchy over S2 is defined thus: Sf = X2; H® = -'X®; 

= ^2 A n((. To provide a simpler base case, let us also define Xg = X? 
(which fits into the induction, since X2 A 11 ° = X2). The main result is now 



Theorem 8. f/X® = for n > 0 . 



Proof. First consider the easier direction, that X(( , g C f/X®. This is not trivial: 
by inspection, the parity condition of rank n is in X„, but this is not tight enough. 
However, if we consider more carefully the winning condition for the game of a 
Xj^ formula r € jiX.f, it says simply ‘X is seen finitely often’. Since the only way 
a play can be infinite is to pass infinitely often through X, this is equivalent to 
saying that the play is really finite (and therefore terminates on an outright Eloise 



win). Hence the winning condition is really just 3 i. ‘Eloise wins outright at o;(i)’, 
and since the outright winning conditions are recursive, this is a X^ statement. 
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Hence C = (?Xg . Now an induction following the proof of Theorem 4 
gives the rest. (Of course, we already know from Theorem 5 that Xj* = f/X?; 
however, the above direct argument of the base case has the advantage of being 
easy to fit directly into the induction.) 

The harder direction is showing that f/X® C X((^g. For convenience we shall 
let Theorem 5 deal with the base case; it is an easy exercise to write down 
the direct proof using a simplified version of the strategy here. The inductive 
step is a generalization of Solovay’s result, using a generalization of Wolfe’s 
determinacy proof. We shall follow, more or less, the presentation of Wolfe’s 
proof by Moschovakis [6] , extending as necessary. 

The approach is to define inductively ‘easy winning positions’, and show that 
all winning positions are easy. We then inspect the inductive definition, and see 
that it has the required form. 

Suppose we have a X® winning condition P{a, x); for notational convenience 
we omit the parameters x. Then it has the form 

(3i. Q{i, a)) A R{a) 

where Q is 11° and R is In Solovay’s result, the winning condition is 

X 2 = Xf , and so there is no R term; we have to show that the argument still 
goes through with this additional term, so allowing us to use the proof in an 
induction on n. 

We start with a trivial but critical observation: 

(3i. Q{i, a)) A R{a) AA 3i. {Q{i, a) A R{a)). 

The second observation is that (by lemma 1) since, for a given i, Q[i, a) is a H° 
predicate of a, there is a H° tree R C u>* such that Q(i, a) AA a € [R]- 

We shall build the set of winning positions by a transfinite induction; to 
explain the technique let us first consider the base case on its own. We can 
define a set of really easy winning positions: let 

1F° = {« I 3i. ‘Eloise wins the game H^[u] = {Qii, a) A R{a))[uy } 

Strictly, if u is an odd length sequence, we mean the cogame we will 

assume henceforth that ‘game’ means ‘game’ for even length u and ‘cogame’ for 
odd length u. Now, it is clear that if m € 1F°, then Eloise wins the game P[v]. 

To extend this base case into an inductive step, we first reformulate this 
definition using the second observation: 

1E° = {u\3i. ‘Eloise wins the game Hy[u] = [R{a) A Vfc. a[<k) e i/i)[M]’ } 

So the ‘really easy’ winning positions can be thought of as the places where 
Eloise knows how to win R while also staying within R. Now the inductive 
step is to look at places where Eloise knows how to win R while staying within 
the winning positions for easier games. That is, if is defined for ^ < (, let 
IE?, and define the game 

H^{a) = R{a) Ayk.a{<k) e W<‘^UR^. 
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Then we define 

= { u I 3i. ‘Eloise wins the game [m]’ }. 

We show by induction that if u € then u is a winning position in the 
original game P. So, let u <E W‘’ . Then for some i, Eloise wins Hf[u]; let Eloise 
play according to her winning strategy to produce a play a. Then by definition, 
R[a) A'ik . a[<k) <E IT U"ib If play sver reached a position w = o;(<A;) € IT*'^, 
then by induction Eloise could have won P[v], so by switching to her winning 
strategy there, instead of continuing with a, she can win P[u], If not, then 
R[a) Ayk. a[<k) € "ij; but then a € [Pi], so Q[i,a) AR{a), so Eloise wins the 
play a in the game P. 

Now, IT^ is an increasing chain, and so (by cardinality) closes at some IT = 
W'^ = IT<'^. We now show that if m ^ IT'^, then Abelard wins P[u]. So, let u = 
ao ■ ■ ■ ttj ^ . By definition, for all i, Abelard wins i/f [«]. (Note: see Remark 

9.) Let Abelard continue to play according to his winning strategy for Hq[u], 
generating a play a = uaj^i . . .. Eirst suppose that Vfc. a[<k) € IT*''^ Lbi),; then 
we must have a ^ R, so a ^ P, and so Abelard has won P. On the other hand, 
suppose at some jo we have uq = a[<jo) ^ TT*''^ UTq. Then firstly uq ^ To, and 
since To is a tree, any extension of Mq is also ^ To- Secondly, IT*''^ = IT'^, so 
Mo 4- Abelard wins all [mq]. So now let Abelard switch to his strategy 

for H[ . Now repeat the argument: either Abelard plays and wins with R, or 
there is a m^ ^ H/<'^ U"i'i. If the process of finding Mq,Mi, . . . continues for ever, 
then the final play a is not an infinite branch of any 'p, and so -i3i. Q{i, a) and 
again Abelard has won the play. 

We have now shown that m G IT iff Eloise wins the game P[u], in other words 
that IT = Qa.P[u ■ a). All that remains is to recast the inductive definition in 
terms of Q and mu-arithmetic: 

W = W).3i. Qa.[R{w • a) A Vfc. ((w • o;)(<A;) G W \/ {w ■ a) [<k) G P)) 

Now, p is a 11° set, and therefore VA;. ... is also ll)*; R is and so the 

body of the game quantified expression is also Il((_ . Therefore by the induction 
hypothesis and duality, Qa . ... is equal to some II(( expression (j>, and so IT is 
indeed Q.E.D. □ 

Remark 9. At the point referring to this Remark, we seem to be assuming the 
determinacy of Hj' . At first sight, this seems odd, since the set W^' occurring in 
the definition is rather complex; however, the determinacy theorems involve the 
boldface classes, not the lightface, and any subset of the integers is A°, so the 
determinacy theorems apply. In fact, as I have mentioned, this proof is mostly 
Wolfe’s, and was devised to show determinacy. This works because at the end we 
have constructed a set IT such that Eloise wins T* iff () G IT, and Abelard wins 
R iff 0 ^ IT. To show determinacy, we use S 2 rather than S 2 ; the only difference 
this makes is that Q is Il5 instead of Il5, so the trees Pi are not necessarily II 5 . 
The argument goes through to produce the set IT ; thus we have an inductive 
proof of the determinacy of S® games, and then we look at the lightface version 
in order to obtain the complexity results we really want. 
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It is worth mentioning, as already noted in [4], that the use of fixpoint not- 
ation makes Wolfe’s proof itself rather more transparent. The determinacy of 
(boldface) V 2 games was studied by Biichi [3] in the context of monadic second- 
order logic; again the use of fixpoint notation allows a transparent presentation, 
since the formulation of Theorem 8 works also in the boldface case. 

As was mentioned above, we could as well use the Rabin style hierarchy as the 
difference hierarchy; indeed, Sfn i® equal to the Rabin class Vi<i<n (^2 
and the odd levels of the difference hierarchy correspond to Rabin conditions 
with one disjunct being simply S 2 . 

Since the above proof is also defining a winning strategy, it follows from 
Lubarsky’s characterization that 

Corollriry 10. A X)® game has a winning strategy in the level of 

Gddel’s L, where cj+” is the first n-reflecting admissible [5] after lo. 

A result that is already known, but which is much more easily seen from this 
approach, is 

Corollriry 11. The fixpoint definable sets of integers are strictly contained in 

hi- 
proof. Because the game quantifier is self-dual for reasonable point classes 
(lemma 2) and because if 17(i, a, x) C cjx“cjxX is universal for T on“cJxXthen 
Qa.U C cj x X is universal for QP on X, the game quantifier preserves 

the strictness of reasonable hierarchies. In particular, it preserves the arithmetic 
and hyperarithmetic hierarchies. By the main theorem, the fixpoint definable 
sets are contained in I/V 2 ; but A 2 contains QA\, a much larger set. 

The fact that fixpoint definable sets are contained in A 2 follows from the classi- 
cal closure of A 2 under inductive definitions; the strictness of the containment is 
established by Lubarsky’s analysis, as the ordinals are all less (and in some 
sense much less) than the first non-A^ ordinal. However, the game characteriza- 
tion is technically simpler, and gives a more transparent meaning to ‘much less’: 
V 2 is ‘much smaller’ than A} in a well understood sense. 

5 Final Remarks 

The characterization we have established here is interesting in both directions. 
The fact that f/X® is characterized by a natural and useful pointclass extends 
a little the point at which games become inherently difficult. Perhaps the other 
direction is more interesting: fixpoint alternation is notoriously incomprehensi- 
ble, so characterizing it in terms of a simple hierarchy of games is helpful — and 
arguably more useful than the admissible-recursion-theoretic characterization. 
It also reinforces a slightly different view on the traditional world of automata 
with Rabin and parity conditions: ‘infinitely often’ is a fundamental concept in 
temporal logics, but really it is a fundamental concept because it is H^. Indeed, 
within the framework of recursion theory, any H^ statement about a is of the 




Fixpoint Alternation and the Game Quantifier 361 



form ‘infinitely often something happens at where in general ‘something’ 

includes statements about the previous and future elements of a. 

There are some obvious directions in which to extend this investigation. As 
I have mentioned, Selivanov has made a detailed study of difference-like hier- 
archies, and I hope that further results may emerge from applying his work. 
One question of particular interest is that of transfinite extensions. The fixpoint 
hierarchies can be extended into the transfinite in the usual way, and Selivanov’s 
hierarchies are also transfinite. One can then ask whether our characterization 
here extends at all. A possibly interesting issue here is that there is something 
of a mis-match between the hierarchies: the first natural stopping point for a 
transfinite extension of the difference hierarchy is cj™, whereas the transfinite 
fixpoint hierarchy has no natural stopping point before an otherwise unknown 
and extremely large ordinal. I conjecture that an extension may be possible up 
to beyond there it is not clear that the question is meaningful. 

Another natural question is whether this descriptive set theoretic approach 
can be used directly to establish results such as the non-collapse of the modal 
mu-calculus alternation hierarchy, avoiding the passage through arithmetic that 
was used in [2]. Here again Selivanov’s work is relevant: he has shown how an 
approach from descriptive set theory provides elegant proofs of results on u>- 
regular expressions. 
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Abstract. Resolution space measures the maximum number of clauses 
that need to be simultaneously active in a resolution refutation. This 
complexity measure was dehned by Kleine Birning and Lettmann in [8] 
and slightly modihed recently [6] to make it suitable for comparisons 
with other measures. Since its dehnition, only trivial lower bound for the 
resolution space, measured in terms of the number of initial clauses were 
known. In this paper we prove optimal lower bounds for the space nee- 
ded in the resolution refutation of two important families of formulas. 
We show that Tseitin formulas associated to a certain kind of expan- 
der graphs of n nodes need resolution space n — c for some constant c. 
Measured on the number of clauses, this result is best possible since the 
mentioned formulas have 0(w) clauses, and the number of clauses is an 
upper bound for the resolution space. We also show that the formulas 
expressing the general Pigeonhole Principle with n holes and more than 
n pigeons, need space w + 1 independently of the number of pigeons. 
Since a matching space upper bound of w + 1 for these formulas exist, 
the obtained bound is exact. These results point to a possible connection 
between resolution space and resolution width, another measure for the 
complexity of resolution refutations. 



Keywords: Resolution, complexity measures, space, lower bounds, pebbling 
game. 

1 Introduction 

Resolution is perhaps the most studied propositional refutation system. This is 
on one hand because its importance in many automatic theorem proving proce- 
dures, and on the other hand because its simplicity. Resolution acts on clauses 
and contains only one inference rule. If A V x and B V x are clauses, then the 
clause Ay B (the resolvent) may be inferred by the resolution rule resolving the 
variable x. A resolution refutation of a non-satisfiable conjunctive normal form 
(CNF) formula (p is a sequence of clauses G\ . . .Gs, where each Gi is either a 

* Partially supported by the DFG 
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clause of Lp or is inferred from earlier clauses in the refutation by the resolution 
rule, and Cg is the empty clause, □. 

Resolution refutations can be viewed as directed acyclic graphs, where the 
clauses are the nodes, and if two clauses are resolved, there is a directed edge 
from each of these two clauses to to their resolvent. Resolution refutations can 
be restricted to be tree-like, considering only trees as possible underlying graphs. 
In this case, each clause in the refutation is used in an inference of a new clause 
at most once. The same clause may appear more than once in the tree-like 
refutation. 

Because of the importance of resolution, several measures for the complexity 
of resolution refutations have been introduced. The most natural one is the size, 
that is, the number of clauses that are needed in the resolution refutation of a 
formula (in the case of tree-like proofs, each appearance of a clause in counted). 
Using the family of formulas expressing the Pigeonhole Principle, Haken [7] 
proved for the first time an exponential lower bound on the size of a resolution 
refutation. This proof was subsequently simplified and extended to other families 
of formulas [14,5,2]. 

In spite of these results, there are still many questions about the complexity 
of resolution that remain unsolved. In an attempt to better understand this 
refutation system, other complexity measures like width and space have been 
introduced. 

Recently Ben-Sasson and Wigderson [3] unified all the existing exponential 
lower bounds for resolution size using the concept of width. The width of a reso- 
lution refutation is the maximal number of literals in any clause of the refutation. 
The authors relate in [3] width and size showing that lower bounds for resolution 
width imply lower bounds for resolution size. 

Another measure for the complexity of a resolution refutation is the amount 
of space it needs. This concept was initially defined by Kleine Biining and Lett- 
man in [8], and slightly modified in [6] in order to make it more natural and 
suitable for comparisons with other complexity measures^. 

Definition 1. Let k G M, we say tha,t an unsatisfiahle CNF formula has 
resolution refutation hounded, hy space k if there is a series of CNF formulas 
p>i, . . . , (fn, such that (pi C (pj □ G Pny kn any pi there are at most k clauses, 
and for each i < nr, pipi is obtained from pi hy deleting (if wished) some of its 
clauses, adding the resolvent of two clauses of cpi, and adding (if wished) some 
of the clauses of p (initial clauses). 

The space needed for the resolution of an unsatisfiahle formula p, is the 
minimum k for which the formula has a refutation hounded, hy space k. 

Intuitively, this expresses the idea of keeping a set of active clauses in the 
refutation, and producing from this set a new one until the empty clause is 
included in the set. The new set is produced by copying clauses from the previous 

^ The original definition [8] differs from the one given in [6] and here in the fact that 
when an initial clause has been deleted from the list of active clauses, it cannot be 
included again. 
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set or from the initial set of clauses, and resolving one pair of clauses. The space 
used is the maximum number of clauses that are simultaneously active in the 
refutation. 

An upper bound on the space needed for the resolution of a formula Lp with 
n variables is n + 1 , [6] , and there are formulas for which this is also a lower 
bound. On the other hand, some unsatisfiable CNF formulas (like for example 
those with at most 2 literals in each clause) can be resolved using only constant 
space [6] . However, the question of the existence of nontrivial space lower bounds 
measured on the number of initial clauses of the formula was open. We address 
this question here obtaining optimal space lower bounds for the two important 
families of Tseitin formulas and formulas expressing the Pigeonhole Principle. 
Lower bounds for the space needed in resolution and Polynomial Calculus, have 
also been recently considered in [1]. 

Very similar results also hold for these families of formulas if the width instead 
of the space of a resolution refutation is used [3]. This is surprising since both 
measures seem unrelated, and suggest that there might be a relationship between 
the concepts of width and space. 

We show in Section 2 space lower bounds for the refutation of Tseitin for- 
mulas. This family of formulas was first defined by Tseitin [13], and express the 
principle that the sum of the degrees of the vertices in a graph must be even. 
Tseitin proved in [13] super-polynomial lower bounds on the size of regular re- 
solution refutations for them. Later Urquhart [14] improved these bounds to 
exponential lower bounds for general resolution. We prove that the space nee- 
ded for the resolution of a Tseitin formula with associated graph G is at least 
ex[G) — [|j + 1, where ex[G) is the expansion of G and d its maximum degree. 
For Tseitin formulas corresponding to expander graphs with n nodes, this me- 
ans that the space needed is at least n — c for some constant c. These formulas 
have 0(n) variables and clauses, and because of the general space upper bound 
mentioned above, the space needed is 0(n), and this linear lower bound on the 
number of initial clauses is optimal up to a constant factor^. 

The family of formulas for the general Pigeonhole Principle PHP™ express 
the fact that it is not possible to fit m pigeons in n pigeonholes (for m > n). As 
mentioned above, for the case m = n + 1, this was the first example of a family 
of formulas with an exponential resolution size lower bound [7]. We show that 
the negation of PHP formulas need refutation space n+ 1, independently of the 
number of pigeons In this case we have an exact bound since Messner [10] has 
proven that n + 1 is also an upper bound for the space needed for the refutation 
of PHP formulas with n pigeonholes. 

This lower bound result is also interesting due to the fact that the complexity 
of resolution refutations of the general Pigeon Hole Principle is not known. For 
example, only trivial lower bounds on the size are known when the number of 

^ A linear space lower bound in the number of initial clauses for Tseitin formulas have 
been independently proven in [1] 

® A t?(w) lower bound for the resolution space of PHPV have been obtainded inde- 
pendently in [1] 
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pigeons m is greater than Buss and Pitassi [4] have shown that for the case of 
tree-like resolution, for any rn > n, -iPHP™ needs tree-like resolution refutation 
of size at least 2”. This result can also be proven using a lower bound on the 
width of refutations for -iPHP™ from [3], Due to the fact that tree-like resolution 
refutations of size S require at most space [logs'] + 1, [6], the above mentioned 
space lower bound for -iPHP™ also provides the lower bound 2” on the size of 
tree-like resolution refutations for these formulas. 

We show then that for the case of tree-like resolution, the space needed in 
a refutation of a formula is at least as large as the refutation width minus the 
initial with of the formula. Again here we find a connection between the concepts 
of space and width. 

The space lower bound results are proven using an alternative characteriza- 
tion of the space measure based on a pebble game on graphs. Resolution refuta- 
tions can be represented as directed acyclic graphs of in-degree two, in which the 
nodes are the clauses used in the refutation, and a vertex (clause) has outgoing 
edges to the resolvents obtained using this clause. In case that in the refutation 
no derived clauses are reused, that is, when all the nodes in the refutation graph 
(except maybe the sources) have out-degree one, the proof is called tree-like. 

The space required for the resolution refutation of a CNF formula cp (as 
expressed in Definition 1) corresponds to the minimum number of pebbles needed 
in the following game played on the graph of a refutation of cp. Observe that in 
a resolution refutation graph the sources are the initial clauses, and the unique 
sink is the empty clause. 

Definition 2. Given a connected directed acyclic graph with one sink the aim 
of the pebble game is to put a pebble on the sink of the graph (the only node with 
no outgoing edges) following this set of rules: 

1) A pebble can be placed in any initial node, tha,t is, a node with no predeces- 
sors. 

2) Any pebble can be removed from a,ny node at any time. 

3) A node can be pebbled provided all its parent nodes are pebbled. For doing 
so, one can place a new pebble on the node, or one can shift a pebble from a 
parent node. 

Because of the equivalence of both definitions [6], we will indistinctly talk 
about the space needed in the refutation of a formula, or about the number of 
pebbles needed on a game played on its refutation graphs. 

The space lower bounds are obtained reasoning on the pebble game. The idea 
is the following: a critical stage in any pebbling strategy of the refutation graphs 
is defined, and then it is proved that this stage must exist, and that it must 
contain a large number of pebbles. In a critical stage it is required that there is 
a partial assignment of the variables that on one hand includes variables from 
all the pebbled clauses in that stage, and on the other hand does not satisfy a 
combinatorial property related to the input formula. 
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2 Lower Bounds on Tseitin Formulas 

In this section we study the space used in resolution refutations of some formulas 
related to graphs. This formulas were defined originally by Tseitin [13], and have 
also been used in order to prove lower bounds on the size of resolution refutations 
in [14] and [12], 

Let G = {V,E) be a connected undirected graph with n vertices, and let 
m : L — ^ {0, 1} be a marking of the vertices of G satisfying the property 

m(x) = l(mod 2). 

x^V 

For such a graph we can define an unsatisfiable formula in conjunctive normal 
form F{G,rn) in the following way: The formula has E as set of variables, and 
is a conjunction of the formulas Ex for x £ V , where 

( ei(x) © . . . © ed{x) if mix) = 1 



[ ei(x) © . . . © ed(x) if mix) = Q 

Here e\[x) . . . Cd{x) are the edges (variables) incident with vertex x. If d is the 
maximum degree of a node in G, FiG, m) contains at most many clauses, 

each one with at most d many literals. The number of variables of the formulas 
is bounded by 

F{G,m) captures the combinatorial principle that for all graphs the sum of 
the degrees of the vertices is even. When the marking m is odd, F)G, m) is 
unsatisfiable. Suppose on the contrary that there were a satisfying assignment 
Lp : E ^ i*^r every vertex x, the number of edges of x that have been 

assigned value 1 by (p has the same parity as m(x), and therefore 

©((x,j/)) = ^ m(x) = 1( mod 2) 

{x,y)^E x(^V 

but in the left hand sum in the equality, every edge is counted twice and therefore 
this sum must be even, which is a contradiction. 

Fact 1 For an odd marking m, for every x e V there exists an assignment g? 
with <p{Fx) = 0, and <f{Fy) = 1 for all y ^ x. If the marking is even, then 
F[G, m) is satisfiable. 

Consider a a partial truth assignment t of some of the variables. We refer 
to the following process as applying t to [G,m): Setting a variable [x,y) in t 
to 0 corresponds to deleting the edge (x,y) in the graph, and setting it to 1 
corresponds to deleting the edge from the graph and toggling the value of m(x) 
and m[y) in G. Observe that the formula F[G' ,m') for the graph and marking 
[G' ,m') resulting after applying t to [G,m) is still unsatisfiable. 

In order to prove the lower bound we will consider the last stage in any 
pebbling strategy in which two properties are satisfied. On the one hand, the 
set of pebbled clauses must be simultaneously satisfiable. The other property 
needed is based on non-splitting assignments, a concept that we define next. 
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Definition 3. We say tha,t a partial truth assignment t of some of the variables 
in F{G, rn) is non- splitting for (G, m), if applying it to (G, rn) produces a pair 
[Gfm') so that G' has a connected component of size > |n with an odd number 
of 1 ’s in its marking, and an even number of 1 ’s in the markings of all other 
connected components. 

Definition 4. Let G = {V,F) be an undirected graph with with \V\ = n. The 
expansion of G, ex(G) is defined as: 

71 2t? 

ex{G) = maxk : VS” C R, IS*! g \{{x,y) e E : x e S,y S}\ > k. 

Intuitively the expansion of a graph is the minimum size of a cut produced 
when the vertices are partitioned into two subsets that do not differ too much in 
size. As shown in the next theorem, the expansion of a graph is a lower bound 
on the space required in the resolution of its associated Tseitin formula. 

Theorem 2. LetG = {V,E) be an undirected and connected graph with \V\ = n 
and maximum degree d, and let rn be an odd marking of G. Any resolution 
refutation of F[G,m) requires space at least ex[G) — [|j + 1. 

Proof. Let 77 be a resolution refutation of the formula, and consider the last 
stage s in a pebbling strategy of the graph of U in which there is a partial 
assignment t fulfilling the following two properties: 

i) t simultaneously satisfies all the pebbled clauses at stage s, 

ii) t is non-splitting for [G,m). 

This stage in the pebbling must exist: Before the initial step, no clause has 
a pebble. Since G is connected, the empty truth assignment is trivially a non- 
splitting partial assignment satisfying the set of pebbled clauses. At the end, the 
set of pebbled clauses contains the empty clause which cannot be satisfied by 
any assignment. Stage s must exist in between. 

The clause pebbled in stage s + 1 must be an initial one. The only other 
clause that could be pebbled at stage s + 1 would be a clause G3 whose parents 
Gi and G2 already have a pebble, but any partial assignment satisfying Gi and 
G2 also satisfies G3, and the non-splitting partial assignment from stage s would 
also work for stage s + 1. For some vertex x in G, this last initial pebbled clause 
corresponds to the formula Fx . 

Let t be a partial assignment satisfying properties i) and ii) at stage s. There 
is an extension of t that satisfies Ff, the formula for x after applying t. To see this, 
observe that after applying t to )G,rn), the graph has a connected component 
of size at least ^ with an odd marking, and the rest of the components have 
even markings. By Fact 1, for every vertex x, the formula Ff can therefore be 
satisfied by an extension of t. Moreover, the initial clause G pebbled at stage 
s+f corresponds to a vertex x in the big connected component with odd marking 
since otherwise there would be also non-splitting partial assignments satisfying 
all the pebbled clauses at stage s+f. 
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Let t be a non-splitting partial truth assignment of minimal size satisfying the 
clauses at stage s, and the graph and marking resulting after applying 

t. It suffices to extend t giving some value to one or more of the variables in the 
last pebbled clause to obtain an assignment t' satisfying all the clauses pebbled 
at stage s -|- 1. However, t' is a splitting assignment and applying it to [G,m) 
does not produce a connected component larger than |n with odd marking. We 
will show that there is always a way to extend t to t' by assigning some new 
variables in the last pebbled clause G, in such a way that t' satisfies all the 
pebbled clauses and produces a subgraph disconnected from the rest and with a 
number of nodes in the interval ^]. 

Let G be the initial clause pebbled at stage s-|- 1, corresponding to a node x 
and let d' be the degree of x in G' [d' < d). F'[x) is the formula e\[x) © . . , © 
= m'[x). We have shown that this formula is satisfiable. d' is at least 1, 
since otherwise t would also satisfy F^. 

X is connected in G' to d' components Ai, . . . ,A'^, and there is no edge 
between any two of such components Ai, Aj. Otherwise, satisfying the clause G 
by satisfying the literal corresponding to the edge connecting x and Hj, would 
provide a non-splitting extension of t. 

We consider different cases depending on the size of the A components. 

Case 1: Some component A^ has size within the interval. Deleting the edge 
connecting x and Ai, this component is isolated from the rest of the graph. 

Case 2: The size of all the Ai components lie outside the interval. This implies 
that they all have size smaller than since otherwise, by Fact 1, there would 
be an extension of t that satisfies G, and disconnects all the components form 
node X producing an odd marking in the component of size greater that 
and an even marking in all the other ones. This would provide a non-splitting 
assignment satisfying all the pebbled clauses at stage s + 1 . The size of all the 
components Ai is therefore smaller than ^ and the sum of all their sizes is greater 
than There is a set of at most [yj components such that the sum of their 
sizes he within the interval. This set of components can be isolated from the rest 
of the graph just by deleting the edges connecting them to x. 

In both cases, by deleting at most [|j edges from G' we have isolated a set 
of nodes S of size within [^, from the rest of the graph. There are at least 

ex[G) edges {y, zj in G with y £ S and z ^ S. All these edges, except at most 
[|j of them have been removed by the partial assignment t. Since t was chosen 
to be an assignment of minimal size satisfying all the pebbled clauses at stage s, 
there are at least ex{G) — [|J pebbled clauses at this stage and ex{G) — [|J + 1 
pebbled clauses at stage s + 1 . 



There exist expander graphs G with n nodes constant degree d and with 
ex[G) > n [9]. In [11] it is shown that the degree for such expander graphs can 
be reduced to d = 8. For an odd marking of such a graph the formula F{G, m) 
has at most ^ variables and n2‘^^^ clauses. By the above result, the space 
needed in a resolution refutation of F[G, m) is at least n — 3 as stated in the 
next corollary: 
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CorollEiry 1. For the constant d = 8 there is a family of unsatisfiahle formulas 
Fi,F 2 , ■ ■ ■ ( corresponding to expander graphs ) such tha,t for every n has at 
most 256n clauses and An variables, and a,ny resolution refutation of Fn requires 
at least space n — 3. 

The number of variables of a formula is an upper bound for its resolution 
space [6], For the family of formulas mentioned in the corollary, the space needed 
is therefore 0[n). Observe that this bound is linear, measured in terms of the 
number of clauses of the formula. 

An interesting fact is that Theorem 2 (even with the lower bound ex[G) 
instead of ex[G) — [|j + 1) also holds if the width of the refutation instead of 
the space is considered [3]. 

3 The Pigeonhole Principle 

Let m > n. The tautology PHP™ expresses the Pigeonhole Principle that there is 
no one-one mapping from a domain of size rn (the set of pigeons) into a range of 
size n (the set of holes). We study the space needed in a resolution refutation of 
the contradiction -iPHP™. This contradiction can be written as a CNF formula 
in the following way: The variables of the formula are 1 < i < m, 1 < j < n. 
Xi^j has the intuitive meaning that pigeon i is mapped to hole j . There are mn 
variables. The clauses of the formula are: 

(1) Xi^i V Xi ^2 V ... V Xi n for 1 < i < m, and 

(2) Xi^k Fxj^k for i < i,j < rn, 1 < k < n, i ^ j. 

Clauses of type (1) express the fact that every pigeon is mapped to some hole, 
while the clauses of type (2) indicate that at most one pigeon can be mapped to 
any hole. 

The number of clauses in -iPHP™ is m+ (™)« < nFn. 

Theorem 3. For any rn > n, the space needed in a resolution refutation of 
-iPHFff is at least n + 1 . 

Proof. Let 77 be a resolution refutation of -iPHP™ and consider the last stage s 
in a pebbling strategy of the graph of FI in which there is a partial assignment 
t fulfilling the following two properties: 

i) t simultaneously satisfies all the pebbled clauses at stage s, and 

ii) t does not assign value false to any of the initial clauses. 

At stage s = 0 in the pebbling process, such a partial assignment t exists 
since there are no pebbled clauses. Also, at the end of the pebbling, the empty 
clause has a pebble on it and therefore there is no t fulfilling property i). Because 
of this, the stage s defined above must exist. 

The pebble from stage s + 1 is placed in an initial clause. Otherwise the two 
parents of the pebbled clause at stage s + 1 contain a pebble in stage s and 
any partial assignment satisfying the pebbled clauses at stage s also satisfies the 
clauses at stage s + 1. 
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Let t be a partial assignment simultaneously satisfying all the pebbled clauses 
at stage s. t can be extended to a partial assignment t' that satisfies the last 
pebbled clause C. We have seen that C must be an initial clause. If no extension 
of t can satisfy clause C is because t assigns value false to all the literals in C, 
but this is a contradiction since C is an initial clause, and by condition ii) t 
cannot give value false to any initial clause. 

Let t be a partial assignment of minimal size satisfying all the pebbled clauses 
at stage s and not giving value false to any initial clause, and let t' be any 
extension of t satisfying the clause G pebbled at stage s + 1. By hypothesis, t' 
falsifies some initial clause. 

If C is of type (1) for some pigeon i, C can be satisfied by giving value true 
to some variable that has not been assigned by t. This makes some initial 
clause Ci^k false, and therefore Qy, must be of type (2), Ci^k — Xi^k V Xj^k for 
some j . This implies that for any hole k, t assigns variable Xi k value false, or 
variable Xj^k value true (for some j ^ i), and therefore t assigns at least as many 
variables as holes. Since t was a partial assignment of minimal size satisfying all 
the pebbled clauses at stage s, in this stage at least n clauses were pebbled, and 
in s + 1 at least n + 1 . 

If C is of type (2), (7 = xiyT V Xj^k, assigning value true to any literal in C 
that has not been assigned by t, falsifies some initial clause of type (1). If t has 
not assigned value to any of the variables in C, this means that the number of 
variables assigned by t is at least 2n — 2. Otherwise t has assigned at least n 
variables. For n > 2, this implies that the number of variables assigned by t is 
at least n, which means that the number of pebbled clauses at stage s — 1 is at 
least n, and at stage s, 1. ■ 

Jochen Messner [10] has proved that n + 1 pebbles suffice in a resolution 
refutation of the Pigeonhole Principle with n holes and rn > n pigeons. This 
means the the above space lower bound is exact. 

Although only trivial lower bounds for the size of a resolution refutation of 
the general Pigeonhole Principle -iPHP™ are known for the case m > n^, the 
situation is better when restricted to tree-like resolution. In [4] it is shown that 
for any rn > n -iPHP™ requires tree-like resolution refutations of size 2". Using 
the following result from [6] we can derive this bound as a corollary of the above 
space lower bound. 

Theorem 4. [6] Let Lp he an unsatisfiahle CNF formula with a tree-like resolu- 
tion of size S, then cp has a resolution refutation of space [logs'] + 1. 

The same bound for tree-like refutations of -iPHP™ has also obtained in [3] 
using a lower bound on the width of the refutations of -iPHP™. 

4 Tree-Like Refutations, Space and Width 

The relationship between the two complexity measures of space and width is not 
clear. Recall that width of a refutation denotes the maximum number of literals 
of a clause appearing in the refutation. Formally: 
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Definition 5. [3] The width of a clause C , w[C), is defined as the number of 
literals in C . The width of a set of clauses in the maximal width of a clause in 
the set. The width of deriving a clause C from the formula Lp, denoted w^cp \~ 
C) is defined by min]j{w[n)'\ where the minimum is taken over all resolution 
derivations II of C from p. 

In the case of tree-like resolution we can show a connection between the 
concepts of size and width. For an unsatisfiable formula (p, define tree-space[p) 
to be the minimum number of pebbles needed in a tree-like resolution refutation 
of p. For any unsatisfiable formula p, the difference between the width in a 
refutation of p minus the initial width of the formula, is bounded by the space 
in any tree-like refutation of the formula. The proof of this fact relies on the 
following lemma from Ben-Sasson and Wigderson: 

Lemma 1. [3] Let p a CNF unsatisfiable formula, and for a literal a, let pQ and 
Pi be the formulas resulting from assigning a the truth values 0 and 1 respectively. 
If for some value k, w[po h □) < A; — 1 and w[pi !-□)</; then w[p F □) < 
max{k, w[p)} 

Theorem 5. Tree-space[p) — 1 > w[p h □) — w[p). 

Proof. Let p be an unsatisfiable CNF formula, and s the minimum number of 
pebbles needed in any tree-like refutation of p, II. We prove by induction on 
the depth of II, d, that w[p F □) < w[p) + s — 1. For d = 0, we have that □ is 
an initial clause, and the results holds trivially. For d > 0, let 77 be a tree-like 
refutation of p of depth d and let x be the last variable being resolved. Let 
7'o and I\ be the subtrees in the refutation deriving the literals x and x from 
initial clauses, and let sq and si be the number of pebbles needed to pebble 
these subtrees reaching the literals x and x. Since we are dealing with a tree-like 
refutation, either Sq or must be smaller than s, this is because in order to 
place a pebble on the empty clause the two subtrees must be previously pebbled, 
and the pebbles in one of the subtrees do not affect the pebbling of the other 
one. W.l.o.g. let us consider Sq < s. Also, If and I\ have depth smaller than d. 

Applying the partial assignment x = 0 to all the clauses in 7'o (respectively 
the partial truth assignment x = 1 to the clauses in 7'i), we obtain two refutation 
trees deriving the empty clause from two sets of clauses pn, pi. By induction, 
w[pq F □) < w[pq) + So — 1 < w[p) + s — 2, and w[p\ F □) < w[p\) + si — 1 < 
w[p) + s — 1. Applying Lemma 1 we obtain s — 1 > w[p F □) — w[p) ■ 

This result shows that when the width of the initial clauses is small with 
respect to the width of some internal clause, width lower bounds can be used 
to obtain space lower bounds for the restricted case of tree-like resolution. For 
example, for the case of a Tseitin formula related to an undirected graph G with 
odd marking, Ben-Sasson and Wigderson showed that the width is at least the 
expansion of G. By the above result, this implies a space lower bound for tree 
like resolution of at least the expansion of G minus the maximal degree of the 
graph, which is a little worse than the space lower bound for general resolution 
for these formulas obtained in Theorem 2. 
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5 Discussion 

We have shown lower bounds for the resolution space of Tseitin and Pigeonhole 
formulas. These lower bounds are optimal since matching upper bounds exist. 
Besides the interest the bounds have on their own for a better understanding 
of the mentioned classes of formulas, these result point to a possible connec- 
tion between the seemingly unrelated measures of resolution width and space. 
Similar lower bounds to the ones shown here, hold also for the case of width, 
and besides, it is known that for the case of tree-like resolution both width and 
space lower bounds imply exponentially larger size lower-bounds. However, the 
question of whether space lower bounds imply size lower bounds for other re- 
strictions of resolution is still open The question of non-trivial lower bounds 
for the resolution space of random CNF formulas is another interesting open 
problem. 

Acknowledgment: The author would like to thank Jochen Messner for helpful 
discussions on earlier versions of the paper. 
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Abstract. We characterize the class of problems accepted by a class of 
program schemes with arrays, NPSA, as the class of problems dehned 
by the sentences of a logic formed by extending hrst-order logic with 
a particular uniform sequence of Lindstrom quantihers. We prove that 
our logic, and consequently our class of program schemes, has a zero- 
one law. However, we show that there are problems dehnable in a basic 
fragment of our logic, and so also accepted by basic program schemes, 
which are not dehnable in bounded-variable inhnitary logic. Hence, the 
class of problems NPSA is not contained in the class of problems dehned 
by the sentences of partial hxed-point logic even though in the presence 
of a built-in successor relation, both NPSA and partial hxed-point logic 
capture the complexity class PSPACE. 



1 Introduction 

This paper is a continuation of the study of the classes of problems captured by 
different classes of program schemes (in this study, the particular emphasis is on 
a comparison with the classes of problems defined by the sentences of well-known 
logics from finite model theory). Program schemes form a model of computa- 
tion that is amenable to logical analysis yet is closer to the general notion of a 
program than a logical formula is. Program schemes were extensively studied in 
the seventies (for example, see [3,7,11,17]), without much regard being paid to 
an analysis of resources, before a closer complexity analysis was undertaken in, 
mainly, the eighties (for example, see [12,14,22]). There are connections between 
program schemes and logics of programs, especially dynamic logic [8,15]. One 
might also view many query languages from database theory as classes of pro- 
gram schemes, although query languages tend to operate on relations as opposed 
to individual elements (for example, see the while language from [1,4,5] and the 
language BQL from [4,16]). 

The results in [2,6,18,21] testify that the study of program schemes is inti- 
mately related with more mainstream logics from finite model theory. In [18], 
program schemes allowing assignments, while instructions with quantifier-free 
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tests, non-determinism and access to arrays were studied but only in the pre- 
sence of a built-in successor relation (the class of problems accepted by such 
program schemes was shown to be PSPACE). It is with these program sche- 
mes and their extensions, obtained by allowing universally quantified program 
schemes to appear as tests in while instructions, that we are concerned in this 
paper but in the absence of any built-in relations; that is, the class of program 
schemes NPSA (non-deterministic program schemes with arrays). Our class of 
program schemes NPSA is quite natural. It consists of the union of an infinite 
hierarchy of classes of program schemes 

NPSA(l) C NPSA(2) C NPSA(3) C . . . 

The program schemes of NPSA(l) are built by allowing assignments, while in- 
structions with quantifier-free tests, non-determinism and access to arrays (full 
details follow later). The program schemes of NPSA(2) are built from program 
schemes of NPSA(l) by universally quantifying free variables. The program sche- 
mes of NPSA(3) are built as are the program schemes of NPSA(l) except that 
tests in while instructions can be program schemes of NPSA(2). The program 
schemes of NPSA(4) are built from program schemes of NPSA(3) by universally 
quantifying free variables; and so on. 

What is crucial is our definition of the semantics. Consider, for example, a 
while instruction in a program scheme p of NPSA(3) where the test is a program 
scheme p' of NPSA(2). In order to evaluate whether the test is true or not, the 
arrays from p are not ‘passed over’ to the program scheme p': the evaluation of 
p' has no access to the arrays of p. After evaluation of p' has been completed, 
the computation of the program scheme p resumes accordingly with its arrays 
having exactly the same values as they had immediately prior to the evaluation 
of p' . It is essentially our semantic definition that enables us to characterize the 
class of problems accepted by the program schemes of NPSA as the class of 
problems defined by the sentences of a logic (±J?)*[FO] formed by extending 
first-order logic with a particular uniform (or vectorized) sequence of Lindstrom 
quantifiers (where this uniform sequence of Lindstrom quantifiers corresponds to 
a PSPACE -complete problem J7). Moreover, we show that the logic (±J?)* [FO] 
has a zero-one law; but not because it is a fragment of bounded-variable infini- 
tary logic, as is so often the case in finite model theory, for we show that there 
are problems definable in NPSA (in NPSA(l) even) which are not definable in 
bounded-variable infinitary logic. Consequently, whilst both NPSA and partial 
fixed-point logic capture the complexity class PSPACE in the presence of a 
built-in successor relation, there are problems in NPSA which are not definable 
in partial-fixed point logic. If our semantics were such as to allow for universal 
quantification over arrays then we could simply guess a successor relation and 
hold our guesses in an array, use universal quantification to verify that the gues- 
sed relation was indeed a successor relation and subsequently use this guessed 
relation as our successor relation throughout. Consequently, we would have cap- 
tured PSPACE and not the interesting logics (with zero-one laws but which are 
not fragments of bounded-variable infinitary logic) encountered in this paper. 
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2 Preliminaries 

Ordinarily, a signature c is a tuple (i?i, . . . , Rr, Ci, . . . , Cc), where each Ri is 
a relation symbol, of arity a,i, and each Cj is a constant symbol. However, we 
sometimes consider signatures in which there are no constant symbols; that is, 
relational signatures. A finite structure A over the signature a, or a-structure, 
consists of a finite universe or domain |^| together with a relation Ri of arity 
Ui, for every relation symbol of a, and a constant Cj G |^|, for every constant 
symbol Cj (by an abuse of notation, we do not distinguish between constants or 
relations and constant or relation symbols). A finite structure A whose domain 
consists of n distinct elements has size n, and we denote the size of A by |^| also 
(this does not cause confusion). We only ever consider finite structures of size at 
least 2, and the class of all finite structures of size at least 2 over the signature 
a is denoted STRUCT((t). A problem over some signature a consists of a subset 
of STRUCT((t) that is closed under isomorphism; that is, if A is in the problem 
then so is every isomorphic copy of A. Throughout, all our structures are finite. 

We are now in a position to consider the class of problems defined by the 
sentences of first-order logic, FO: we denote this class of problems by FO also, 
and do likewise for other logics. It is widely acknowledged that, as a means for 
defining problems, first-order logic leaves a lot to be desired especially when 
we have in mind developing a relationship between computational complexity 
and logical definability. In particular, every first-order definable problem can be 
accepted by a logspace deterministic Turing machine yet there are problems in 
the complexity class L which can not be defined in first-order logic (one such 
being the problem consisting of all those structures, over any signature, that 
have even size). One way of increasing the expressibility of FO is to augment 
FO with a uniform or vectorized sequence of Lindstrdm quantifiers, or operator 
for short (the reader is referred to [10] for details). The archetypal example of 
such an extension is Immerman’s transitive closure logic [13], and we shall see 
another such extension of FO soon. 

An alternative and more computational means for defining classes of pro- 
blems is to use program schemes. A program scheme p G NPSA(l) involves a 
finite set {xi,X 2 , . . . ,xa,} of variables, for some k > I, and is over a signature 
a. It consists of a finite sequence of instructions where each instruction, apart 
from the first and the last, is one of the following: 

— an assignment instruction of the form := y\ where i G {1,2,. ..,A;} and 
where y is a variable from {xi,X2, . . . ,Xk}, a constant symbol of a or one 
of the special constant symbols 0 and max which do not appear in any 
signature; 

— an assignment instruction of the form ‘xj := A[yi,y2, . . . ,J/d]’ or ‘A[yi,y2, 

. . . ,yd] '■= yo\ for some i G {1,2,..., k}, where each yj is a variable from 
\jXi,X2, ■ ■ ■ ,Xkf, a constant symbol of a or one of the special constant sym- 
bols 0 and max which do not appear in any signature, and where A is an 
array symbol of dimension d; 

— a guess instruction of the form ‘GUESS xf, where i G {1,2,..., k}; or 
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— a while instruction of the form ‘WHILE cp DO ap a 2 ; ■ ■ ■ ;Uq OD’, where 
(/3 is a quantifier- free formula of F0((T U {0, max}), whose free variables are 
from {xi,X 2 , ■ ■ ■ ,Xk}, and where each of q;i,q; 2 , . . . ,Uq is another instruc- 
tion of one of the forms given here (note that there may be nested while 
instructions) . 

The first instruction of p is ‘INPUT(xi, X 2 , . . . ,x;)’ and the last instruction is 
‘OUTPUT(xi, X 2 , . . . , Xj)\ for some I where 1 <l <k. The variables Xi,X 2 , . . . , 
xi are the input-output variables of p, the variables 1 , x;y 2 , ■ ■ ■ are the free 
variables of p and, further, any free variable of p never appears on the left-hand 
side of an assignment instruction nor in a guess instruction. Essentially, free 
variables appear in p as if they were constant symbols. 

A program scheme p € NPSA(f) over a with s free variables, say, takes a 
(T-structure A and s additional values from |^|, one for each free variable of p, 
as input; that is, an expansion A! of A by adjoining s additional constants. The 
program scheme p computes on A' in the obvious way except that: 

— execution of the instruction ‘GUESS xf non-deterministically assigns an 
element of |^| to the variable xp 

— the constants 0 and max are interpreted as two arbitrary but distinct ele- 
ments of 1^1; and 

— initially, every input-output variable and every array element is assumed to 
have the value 0. 

Note that throughout a computation of p, the value of any free variable does 
not change. The expansion A! of the structure A is accepted by p, and we write 
A! \= p, if, and only if, there exists a computation of p on this expansion such 
that the output-instruction is reached with all input-output variables having the 
value max. (We can easily build the usual ‘if’ and ‘if-then-else’ instructions using 
while instructions: see, for example, [18]. Henceforth, we shall assume that these 
instructions are at our disposal.) 

We want the sets of structures accepted by our program schemes to be pro- 
blems, i.e., closed under isomorphism, and so we only ever consider program 
schemes p where a structure is accepted by p when 0 and max are given two 
distinct values from the universe of the structure if, and only if, it is accepted no 
matter which pair of distinct values is chosen for 0 and max. This is analogous 
to how we build a successor relation or 2 constant symbols into a logic (see [10]). 
Indeed, we can build a successor relation into our program schemes of NPSA(l) 
so as to obtain the class of program schemes NPSAg(l). As with our logics, we 
write NPSA(l) and NPSAs(l) to also denote the class of problems accepted by 
the program schemes of NPSA(l) and NPSAs(l), respectively. It was proven in 
[18] that a problem is in the complexity class PSPACE if, and only if, it is in 
NPSA,(1). 

Henceforth, we think of our program schemes as being written in the style 
of a computer program. That is, each instruction is written on one line and 
while instructions (and, similarly, if and if-then-else instructions) are split so 
that ‘WHILE p DO’ appears on one line, appears on the next, ‘ 0 : 2 ’ on the 
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next, and so on (of course, if any is a while, if or if-then-else instruction 
then it is split over a number of lines in the same way). The instructions are 
labelled 1, 2, and so on, according to the line they appear on. In particular, every 
instruction is considered to be an assignment, a guess or a test. An instantaneous 
description {ID) of a program scheme on some input consists of a value for each 
variable, the number of the instruction about to be executed and values for all 
array elements. A partial ID consists of just a value for each variable and the 
number of the instruction about to be executed. One step in a program scheme 
computation is the execution of one instruction, which takes one ID to another, 
and we say that a program scheme can move from one ID to another if there 
exists a sequence of steps taking the former ID to the latter. 



3 Complete Problems 

Definition 1. Let the signature aj K = {E , P,T,C, D) , where E is a binary 
relation symbol, E and T are unary relation symbols and C and D are constant 
symbols. We can envisage any OTR-structure A as a digraph (possibly with self- 
loops) whose edge relation is E and with distinguished vertices C , the source, and 
D, the sink. The relation F can be seen as providing a partition of the vertices 
and the relation T a subset of the vertices upon which tokens are initially placed. 
All tokens are indistinguishable and any vertex has upon it at most one token. 
Let us call a otr- structure A a token digraph. 

Just as one can traverse a path in a digraph by moving along edges, so one 
can traverse a path in a token digraph A. However, as to how edges can be 
traversed is different from the usual notion. Consider an edge ( m , v) € E for 
which both u and v are in P and such thaJ a traveller is at vertex u ( the traveller 
traverses a path of edges in the digraph). The edge (u,v) can only be traversed 
by the traveller moving as follows. 

— The traveller moves from u via the edge ( m , u') to a vertex u' not in P upon 
which exactly one token resides; 

— then from u! via the edge («', v') to a vertex v' not in P upon which no token 
resides, if v' ^ u! , and at the same time taking the token previously at u' to 
v' , or by moving from u' via the edge {u' ,u') (if it exists) to u! (so thaJ the 
token remains at u' ); and finally 

— by moving from the vertex v' or u' , whichever is the case, via the edge {v',v) 
or {u\ v) to V. 

This is called, a compound move (such a move is illustrated in Fig. 1), and 
compound moves are the only moves the traveller is allowed to make. Any tokens 
which happen to initially lie in P are ignored and play no part in any path 
traversal. Also, the traveller only ever makes compound moves from a vertex 
of P (u above) to a vertex of P (v above). The problem Token Reachability is 
defined as all those a^R- structures, i.e., token digraphs, for which a path can 
be traversed starting at the source and ending at the sink where the edges are 
traversed only by compound moves. Any instance for which C = D, no matter 
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whether C is in P or not, is a yes-instance (note tha,t ifC^P then the traveller 
can not move). □ 




Theorem 1. There is a quantifier-free first-order translation with 2 constants 
from a,ny problem in NPSAfii) to the problem Token Reachability. Hence, Token 
Reachability is complete for NPSA[l) via quantifier-free first-order translations 
with 2 constants. 

Proof. (Sketch) Let p be a program scheme of NPSA(l) over the signature a, 
possibly in which if instructions and if-then-else instructions occur. W.l.o.g. (by 
introducing more variables if needs be), we may assume that: every array symbol 
only appears in assignment instructions; no constant symbol appears in any 
assignment instruction involving an array symbol; and there is only one array 
symbol B, and this array symbol has dimension d > 1. Suppose that p involves 
the variables xi,X 2 , ■ ■ ■ ,Xk and that there are I instructions in p, numbered 
1,2,...,/. 

Let ^ be a c-structure of size n > 2. An element u = (uq,ui, . . . ,Uk) of 
{1, 2, ...,/} X 1^1* encodes a partial ID of the program scheme p on input A. via: 
a computation of p on A is about to execute instruction Mq and the variables 
X\,X 2 , ■ ■ ■ ,Xk currently have the values ui,U 2 , . . . ,Uk, respectively. Henceforth, 
we identify partial IDs of p and the elements of {1,2, ...,/} x \A\^ . 

Let the digraph Gq have vertex set Uq = {1,2,...,/} x and edge set 

Eq = E) UEq UL-’g , where E), E(, and E( are defined as follows (in our eventual 
token digraph, the vertices of Uq will play the role of the vertices of P from 
Definition 1). 

— E( = {((u, 0, 0),(u, max,/)), ((u, max,t), (v, 0, 0)) e Uo x Uq : instruction 
Mg is of the form Xj := H[xj^ , Xj^ , . . . , x^fi and it is poss- 
ible for p on input A to move from partial ID u to part- 
ial ID V in one step, and Vj = t}. 
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— Eq = {((u,0,0), (v,0,0)) e Uq X Uq : instruction Uq is of the form 

, . . . , Xij] := Xj and it is possible for p on input A to 
move from partial ID u to partial ID v in one step}. 

— Eq = {((u,0,0), (v,0,0)) <E Uo X Uo '■ instruction uq does not involve the 

array symbol B and it is possible for p on input A to 
move from partial ID u to partial ID v in one step}. 

Of course, whether p on input A actually moves from partial ID u to partial ID 
V in one step at some point in a computation depends upon whether u can be 
reached from the initial ID and it might also depend upon the actual value of 
the array B at that time. The edges of Eq U Eq reflect potential one-step moves 
from partial ID u to partial ID v (moves which are dependent upon the value 
of if). 

For each w G define the digraph to have vertex set = |^| (all 

vertex sets of such digraphs are disjoint). The edge set E^ of consists of 
every possible edge between vertices of including self- loops. For each vertex 
(u,0,0) G Uo, let be a digraph with one vertex Zu. and one self-loop (zu, z^) 
(again, all such digraphs are disjoint). Let the digraph Q consist of the disjoint 
union of the digraphs Gq, {G'w ■ w G |v4.|‘^} and : (u,0, 0) G Uq}, together 
with the following additional edges between the vertices of these digraphs. 

— If instruction uq is of the form Xj := B[xi,^,Xi 2 , . . . ,Xi^] then there are ed- 
ges {((u,0,0),2;u),(2;u,(u,max,t)) : (u,0,0) G Uo,t G |v4.|}, and for every 
edge ((u, max, t), (v, 0, 0)) of Fg, there are edges [[\i,max,t),t'^) and [t'^ , 
(v,0,0)), where w = [ui^,Ui^, . . . ,Ui^) and is vertex t of V^. 

— If instruction mq is of the form B\xi ^ , x^^ , . . . , Xi^] := Xj then for every edge 
((u,0,0), (v,0,0)) of Eq, there are edges {((u, 0, 0), t'^), (mJ", (v, 0, 0)) : t G 
|fI| }, where w = (m^^ ,Ui^, . . . , Ui ^ ) and (resp. uY) is vertex t (resp. Uj) of 
Dw. 

— If instruction uq does not involve the array symbol B then for every edge 
((u,0,0), (v,0,0)) of F’g, there are edges ((u, 0, 0), Zu) and (zu, (v,0, 0)). 

That portion of the digraph Q corresponding to a one-step move of p on input 
A from partial ID u to partial ID v can be visualized as in Figs. 2 and 3 when 
instruction mq is of the form Xj := B\xi -^^ , Xi ^, . . . , x^^] and B[xi-^^ ,Xi^, . . . , xiY\ := 
Xj, respectively. 

We can now extend Q to a token digraph: let the source be the vertex 
(1,0, 0,0) of Uq and the sink be the vertex (/,max,0, 0) of Uq', let B = Uo; and 
let T = {0'^ : 0'^ is the vertex 0 of where w G 1*4.1^^} U {zu : (u, 0, 0) G Do}. 
It is not difficult to see that A is accepted by the program scheme p if, and only 
if, 1/ is a yes-instance of the problem Token Reachability . 

The token digraph Q can easily be described in terms of A by a quantifier- 
free first-order formula with 2 constants (see comparable constructions in, for 
example, [19]), and so the problem Token Reachability is hard for NPSA(l) via 
quantifier- free first-order translations with 2 constants. Moreover, Token Reach- 
ability can be accepted by the following program scheme of NPSA(l). 
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Figure 2. A portion of the digraph Q corresponding to 
an instruction of the form Xj := 




(Mq , Mj,..., 0, 0) " 



Figure 3. A portion of the digraph Q corresponding to 
an instruction of the form B\xi^^Xi^^ . . . := Xj. 

input (m, w, m', v' ,w) 

guess w 

while w = max do 
guess w 

if T{ w) then B[w] := max fi 
guess w 
od 

if -iB[C)AC^D then ‘loop forever’ fi 
u ■= C 

while u ^ D do 
guess V 

if ->F[v) y ->E[u,v) then ‘loop forever’ fi 
guess u' 
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if Fiu') V -iE[u,u') V B[u'] = 0 then ‘loop forever’ fi 
guess v' 

if P{v') V -<E{u',v') V {B[v'] = max Am' / v') 

\/{T{v') A M [o'] = 0 A m' 7 ^ m') then 

‘loop forever’ fi 

if E{v',v) then 

B[i'] := 0; B[j'] := max; M[m'] := max; u := v 

else 

‘loop forever’ fi 
od 

[u,v,u' ,v' ,w) := [max , max , max , max , max) 

output (m, V, m', v' , w) 

Some explanation is in order (beyond the obvious short-hand we use in our 
description). Our program scheme p involves two array symbols, B and M , both 
of dimension 1. Suppose that some (Jr /i-structure A is accepted by p. The first 
part of p guesses a set of vertices upon which tokens initially lie: this set is 
{m; : B[o] = max}. Throughout the execution, the array B details the locations 
of these tokens as they are moved about: call these tokens the B-type tokens. 
No other token is ever moved (and by ‘moved’ we include tokens which are 
moved along self- loops). The array M is initially identically 0 but whenever a 
vertex w upon which a B-type token lies is involved in a compound move, the 
array element M [m;] is set at max. Consequently, at any particular time we know 
where the B-type tokens are (the elements w for which B[w] = max) and we 
know where the other tokens are (the elements w for which T)w) A M[w] =0). 

The code within the second while-loop is the code associated with making a 
compound move. The variable v holds the vertex v £ F (see Definition 1), the 
variable u' holds the vertex u' ^ F and the variable v' holds the vertex v' ^ F 
(or possibly u'). Note that in choosing u' , we must ensure that a B-type token 
currently lies on u' (as these are the only tokens which we are allowed to move). 
This is done by checking whether B[i'] = max. Also, in choosing v' (if it is 
to be different from u') we must ensure that no B-type token lies on v' nor no 
non-ii-type token. Thus, A is in Token Reachability . 

Conversely, suppose that A is in Token Reachability . In the initial phase of 
the execution of p on A, we can guess every token to be a B-type token. The 
result follows. □ 

Thus we obtain the following corollary. 

Corollary 1. Token Reachability is complete for PSPACE via quantifier-free 
first-order translations with successor. 

Proof. By [18], any problem in PSPACE can be accepted by some program 
scheme of NPSAs(l). Hence, the result follows from Theorem 1. □ 
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4 Logics and Program Schemes 

An important point to note is that whereas the usual existential quantifier is 
catered for in program schemes of NPSA(f) via the guess instruction (intuiti- 
vely speaking), there is no such analogous modelling of the universal quantifier. 
Consequently, we extend our program schemes by introducing universal quanti- 
fication in the following manner. 

Definition 2. Let a be some signature. For some m > 1, let the program 
scheme p € NPSA[2m — 1) he over the signature a and involve the variables 
xi,X 2 , ■ ■ ■ ,Xk- Suppose that the variables xi,X 2 , ■ ■ ■ ,xi are the input-output va- 
riables of p, the variables • • • ,^i+s the free variables, and the re- 

maining variables are the hound variables ( note tha,t if rn = I then p has no 
hound variables hut tha,t this may not be the case if m> 1). Let Xi,,Xi^, . . . , Xi 
be free variables of p, for some p such that I < p < s. Then 

fxiffxi^ • • dfx{^p 

is a program scheme of NPSA[2m) , which we denote by p' , with no input-output 
variables, with free variables those o/ {x;yi, • • • , \ j • • • j } 

and with the remaining variables of {xi,X 2 , ■■■ ,Xk} as its hound variables. 

A program scheme such as p' takes expansions A' of a-structures A by ad- 
joining s — p constants as input (one for each free variable), and p' accepts such 
an expansion A' if, and only if, for every expansion A" of A! by p additional 
constants (one for each variable Xi^), A!' \= p. □ 

Note that the different computations of p on expansions A!' of A! , in Defini- 
tion 2, are all such that all arrays are initialised to 0. 

Definition 3. Let a be some signature. A program scheme p' G NPSA[2m— 1), 
for some rn > 2, over the signature a and involving the variables of {xi,X 2 , . . . , 
Xk}, Is formed exactly as are the program schemes of NPSA[l) , with the input- 
output and free variables defined accordingly, except tha,t the test in some while 
instruction is a program scheme p G NPSA[2m — 2) whose free and hound va- 
riables are all from {xi,X 2 , . . . ,Xk} (note that p has no input-output variables). 
However, there are further stipulations: 

— all free variables in any test p G NPSA[2m — 2) in any while instruction are 
input-output or free variables of p' ; 

— the hound variables of p' consist of all hound variables of a,ny test p G 
NPSA(2m — 2) in any while instruction (and no hound variable is ever an 
input-output or free variable of p); and 

— this accounts for all variables of {xi,X 2 , . . . ,Xk}. 

Of course, any free variable of p' never appears on the left-hand side of an 
assignment instruction or in a guess instruction. 

A program scheme p' G NPSA[2m — 1) takes expansions A' of a-structures 
A by adjoining s constants as input, where s is the number of free variables. 
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and computes on A! in the obvious way except tha,t when some while instruction 
is encountered, the test, which is a program scheme p € NPSA(2m — 2), is 
evaluated according to the expansion of A' by the current values of any relevant 
input-output variables of p' (which may be free in p). In order to evaluate this 
test, all arrays in p are initialised to 0 and when the test has been evaluated the 
computation of p' resumes accordingly with its arrays having exactly the same 
values as they had immediately before the test was evaluated. □ 

In a program scheme such as p' in Definition 3, the only information which 
can be ‘passed’ to a test evaluation is the current values of the relevant input- 
output or free variables. Arrays can not be used to pass information across. If 
our semantics were such as to allow universal quantification over arrays then we 
could build our own successor relation. 

Theorem 1 allows us to relate the class of problems accepted by the program 
schemes of NPSA with the class of problems defined by the sentences of the logic 
(±TR)*[FO]. For each m > 1, we define the fragment ±TR(m) of (±TR)*[FO] 
as follows (see [2] for similarly defined fragments of other logics). 

— ±TR(1) consists of all formulae of the form TR[Ax,y'i/’_b;,x'i/'iJ,x'i/''i-](u,v), 
where 'ipEj V’P £^nd (jt are quantifier- free first-order formulae and where u 
and V are tuples of constant symbols or variables. 

— ±TR(m-L 1), for odd m > 1, consists of the universal closure of ±TR(m); 
that is, the set of formulae of the form dz-fizi . . . dzi-tp, where 'tp is a formula 
of ±TR(m). 

— ±TR(m-L 1), for even rn>2, consists of the set of formulae of the form 

TR[Ax,y(V'l? V -.V'|),x(V'p V -^tfp),y{tpT V -■V’t)](u,v), 

where -i/'i.'j fp, V’p? V’p? V’t 3’Hd V’t formulae of ±TR(m) and where u 
and V are tuples of constant symbols or variables. 

A straightforward induction yields that: 

— for every odd to > 1, every formula in the closure of ±TR(to) under A, V 
and 3 is logically equivalent to a formula of ±TR(to); and 

— for every even to > 1, every formula in the closure of ±TR(to) under A, V 
and V is logically equivalent to a formula of ±TR(to). 

Consequently, (±TR)*[FO] = U{TR(to) : to > 1}. Another easy induction yields 
the following result. 

Corollriry 2. In the presence of 2 built-in constant symbols, ±TR[m) = 
NPSAim), for each to > 1; and so {±TR)*[FO] = NPSA. □ 

The following is immediate from Corollaries 1 and 2. 



Corollriry 3. In the presence of a built-in successor relation, [±TR)*[FOs] = 

TR\FOs]= PSP ACE. □ 
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Let us now focus on a comparison of NPSA with other classes of logically- 
defined problems. Bounded-variable infinitary logic, : k > 1}, 

plays a prominent role in finite model theory (see [10]). In particular, it subsu- 
mes many logics from finite model theory, notably transitive closure logic, path 
system logic, least-fixed point logic and partial-fixed point logic. 

Let (T 2 = {E), where E is a binary relation symbol. We can think of a (72- 
structure A as an undirected graph via ‘there is an edge (m, v) if, and only if, 
u V A {E[u, v) V E[v, u)) holds in A\ Define the problem CUB as 

CUB = {A G STRUCT((72) : the graph A has a subset of edges inducing a 

regular subgraph of degree 3}, 

where the subgraph induced by a set of edges E of a graph is that subgraph 
whose vertex set consists of all those vertices incident with at least one edge 
of E and whose edge set consists of E. Of concern to us is the result from [20] 
that the problem CUB is not definable in (even when we allow counting 

quantifiers in CfoA [20])- 

Proposition 1. Any problem definable by a sentence of the form 

CUB [Ax, yV'(x,y)], 

where jx| = y| = A;, for some k, and if is a quantifier-free first- order formula 
with 2 constants, can be accepted by a program scheme of NPSA[l) , 

Proof. We assume throughout that k = 2: the general case is similar. Let A 
be some structure, of size n, over the underlying signature a. Our program 
scheme p G NPSA(f) proceeds as follows. We begin by ‘guessing’ a set of (at 
most n^(n^ — l)/2) distinct potential edges in the graph t/A described by if 
(interpreted in A). We use the 4-dimensional arrays Ai, A^, Bi and B 2 in order 
to store the guessed list of edges as follows. We guess elements u\, ri\ and v\ 
of |aI|, ensuring that it is not the case that all of these elements are equal to 0, 
and we set 



Ai[0, 0,0,0] :=m},A2[0,0,0,0] := u\, := B2[0,0,0,0] := 

Next we guess elements u\, u\, vf and wl of [Alj, and check that (uj,U 2 ,vf,V 2 ) 
is different from (0,0, 0,0) and (m},M 2 Wi)^ 2 )- If then we set 

Ai[u\,u\,v\,v\\ := u?^,A2[u\,u}2,v\,v\\ :=u\, 

Bi[u\,u\,v\,v\] := vI,B2[u\,u\,v\,v\] := 

We stop if each of u\, and V 2 is equal to max. Next, we guess elements uf, 

U 2 , vf and V 2 of [Alj and check that [ul , U 2 , vf , V 2 ) is different from (0,0, 0,0), 
{u\,U 2 ,vl,V 2 ) and (u^, Wi i If so then we set 

Ai[ul,ul,vl,vl] := ul,A 2 [ul,ul,vj,vj] := u\, 

Bi[u\,ul,vl,vl] := vl,B2[u\,ul,vl,vl] := 
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We stop if each of uf, u^, vf and is equal to max; and so on. 

Any computation of p which completes this first phase is such that the arrays 
now encode the (non-empty) list of m — 1 distinct ‘potential edges’ 






-^)). 



We now check that the potential edges on this list are indeed edges of by 
verifying that 



{u\ ^ v{ V M 2 ^ A V 



holds in A, for i = 1,2, — 1. 

Finally, we check that each vertex incident with some edge in our list of 
edges is incident with exactly 3 such edges: if so, we accept the input structure 
A otherwise we reject it. It is clear that all of the above can be implemented in 
a program scheme of NPSA(f); and that the resulting program scheme accepts 
exactly the problem defined by the sentence CUB[Ax, yV'(x,y)]. □ 

Using the facts that the problem CUB is not definable in and that there 
are non-recursive problems which are definable in we immediately obtain 

the following corollary. 

Corollriry 4. There are problems in NPSA[l) which are not definable in Cfiauy 
and there are problems in which are not definable in NPSA[l), □ 

Note that whilst we know that there are problems in NPSA which are not 
definable in partial fixed-point logic (a fragment of bounded-variable infinitary 
logi, remember), we do not as yet know whether there are problems in partial 
fixed-point logic which are not definable in NPSA (although we suspect that 
there are). 



5 Zero-One Laws 

Let cr be a relational signature and let J? be a problem over a. Define the fraction 

, , |{v4. : A G STRUCT(ct) has size n and A G J?}| 

^ |{A : ,4 G STRUCT(a) has size n}\ 

and define the [labelled) asymptotic probability of J7, l[fi), as 

lim lnU2), 

n—^oo 

if it exists. We say that a logic or a class of program schemes has a zero-one law 
if every problem J? (over a relational signature) definable by a sentence of the 
logic or accepted by a program scheme from the class is such that the asymptotic 
probability /(J7) exists and is equal to either 0 or 1. For any logical sentence or 
program scheme (over a relational signature), we define l[4>) to be l[i2) where 
J? is the problem defined by 




Program Schemes, Arrays, Lindstrom Quantifiers, and Zero-One Laws 387 



A problem J? over some (not necessarily relational) signature a is closed under- 
extensions if whenever a cr-structure A has a sub-structure in J? then A & {a 
cr-structure A' is a sub-structure of A if the universe of M is contained in the 
universe of A, any relation of A' is the restriction of the corresponding relation of 
A to \A!\ and every constant of A' is the same as the corresponding constant of 
A)- The following theorem is essentially a generalization of Theorem 7.4 of [9] to 
extensions of first-order logic using a uniform sequence of Lindstrom quantifiers 
corresponding to a problem closed under extensions, where this problem need 
not just involve graphs but can be over any (not necessarily relational) signature. 

Theorem 2. Let H be a problem closed under extensions. Then the logic 
(±J7)*[T0] has a zero-one law. □ 

The following corollary is immediate from Corollary 2 and Theorem 2, as the 
problem Token Reachability is closed under extensions. 

Corollriry 5. The class of program schemes NPSA has a zero-one law. □ 



6 Conclusions 

In this paper we have investigated a naturally-defined class of program sche- 
mes, NPSA, which take finite structures as inputs, and proven that the class of 
problems accepted by the program schemes of NPSA coincides with the class of 
problems defined by the sentences of an extension of first-order logic using a uni- 
form sequence of Lindstrom quantifiers (corresponding to a PSPACE-complete 
problem). Moreover, we have shown that the class of problems NPSA has a zero- 
one law and also that there are problems in NPSA which are not definable in 
bounded-variable infinitary logic. We feel that our general approach of investiga- 
ting more ‘computational versions of logics’ (that is, classes of program schemes) 
than is often the case in finite model theory is completely natural, interesting 
and novel; and the results presented here and obtained in [2,6,21] further testify 
to this belief. 

There remain many unanswered questions concerning classes of program 
schemes. The most notable ones arising from this paper are: Are there pro- 
blems definable in partial fixed-point logic which are not accepted by a,ny pro- 
gram scheme of NFS AT; and As the hierarchy of program schemes NPSA[l) C 
NPSA[2) C NPSAfii) C . . . proper?’. We conjecture that the answer to both 
of these questions is ‘Yes’; although so far we have been unable to apply or 
extend the techniques of [2] to answer either of these questions. (In [2], the 
class of program schemes NPS, where array symbols are not allowed, was shown 
to be none other than transitive closure logic and an infinite proper hierarchy 
NPS(l) C NPS(2) C . . . was exhibited; and the class of program schemes NPSS, 
where array symbols are not allowed but access to a stack is, was shown to be 
none other than path system logic, which in turn is stratified Datalog, and an 
infinite proper hierarchy NPSS(l) C NPSS(2) C . . . was exhibited.) 
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Abstract. We show that elementary arithmetic formulated in the lan- 
guage with a free function symbol / and the least element principle for 
open formulas (where we assume that the symbols for all elementary 
functions are included in the language) does not prove the least element 
principle for bounded formulas in the same language. A related result is 
that composition and any number of unnested applications of bounded 
minimum operator are, in general, insufficient to generate the elementary 
closure of a function, even if all elementary functions are available. Thus, 
unnested bounded minimum operator is weaker than unnested bounded 
recursion. 



1 Introduction and Motivation 

This paper arose out of the problem of separating the schemes of Z\i-induction 
and Ah -collection in arithmetic [4,6], It turns out that this question is closely re- 
lated to the comparison of different operators generating the elementary closure 
of a class of functions and to the problems of separating the corresponding sy- 
stems of subrecursive arithmetic. These questions are also natural from a purely 
computational point of view. 

In this paper we compare the relative strength of bounded /r-operator and 
bounded recursion. We show that unnested bounded /x-operator is, in general, 
weaker than unnested bounded recursion. In contrast, it is well known that, 
when nestings are allowed, each of the two operators together with composition 
is sufficient to generate the elementary closure of a class of functions. 

We compare the strength of the two operators against the problem of com- 
puting the maximum of a function on a finite interval. In order to compute 
maxi<j; /(i) on a Turing machine with a function oracle for / one needs of order 
X different oracle queries (see [2]). In particular, any Turing machine that may 
only ask a bounded number of queries cannot, in general, compute this function. 
This implies that the class of functions generated from all elementary functions 
and / by composition does not, in general, coincide with the elementary closure of 
a function /. This idea was used in [2] to show the independence of A\-collection 
rule in arithmetic, which improved the result of Parsons on the independence of 

* Supported by Alexander von Humboldt Foundation and RFBR grant 98-01-00249. 
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i^i-collection schema from the set of all true arithmetical i72-sentences (see also 

[8] for a related work on subrecursive degrees). 

If unnested applications of bounded /x-operator are allowed on a par with 
composition, then the available power of computation increases compared to the 
bounded query oracle Turing machine. It is worth explaining here informally, 
why such a computation mechanism is still too weak to compute the maximum 
of /. 

A /i-operator of the form jii < x. R{i), where R[i) is a bounded query 
predicate, can be interpreted in terms of a parallel bounded query machine. To 
evaluate this operator the machine generates x + 1 independent subprocesses, 
i-th process Ri evaluates the predicate R[i) and returns true or false. Then the 
machine runs through their outputs to find the least i such that i?(i) evaluates 
to true. 

Since R[x) is a bounded query predicate, all the subprocesses have a uniform 
bound on the number of queries each of them may ask. More important still, 
each subprocess Pi only returns true or false, that is, exactly one bit. This 
means that the processes cannot exchange too much information. This is crucial 
for the fact that maxivj, /(i) cannot be computed by such a machine: each 
subprocess Pi can only learn the values of / on a boundedly small subset of the 
large interval [0, x], but it lacks the ability to communicate, say, the maximum of 
these values to other processes. (Compare with the usual algorithm of computing 
the maximum of / by querying successively /(O), /(I), . . . , /(x). Here, one has 
to always store the intermediate maximum value of /, which may potentially 
exceed any bounded number of bits.) 

Of course, this rough idea will be made more precise in the proof of our main 
result. This proof is based on a recursion-theoretic diagonal construction that 
involves a combinatorial argument using infinite Ramsey theorem. 

2 Statement of the Results 

As usual, for a given predicate R[x,v) the expression /xx < a. R[x,v) denotes 
the function 

- , f the minimal x < a such that R(x,v) holds, if 3x < aR(x,v) 

otherwise. 

For a set of functions K, let C(A) denote the closure of K and the class of ele- 
mentary functions £ under composition. Further, let [K, M] denote the closure 
of the class Ku£ under composition and unnested applications of bounded mini- 
mum operator, that is, the closure under composition oi K\j£ and all functions 
of the form /xx < a. R[x,v), where R[x,v) € C[K). Similarly, [A,BR] denotes 
the closure ol K £ under composition and unnested applications of bounded 
recursion schema, that is, primitive recursion bounded by some function from 
C(A). The closure of K\j£ under composition and (nested) bounded recursion is 
called the elementary closure of K and is denoted E(A). By a result of Parsons 

[9] , E(/) = C(/), where / denotes the function /(x) = (/(O),. . . ,/(x)). 
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It is known [10] that E(/L) coincides with the closure oi Kyj£ under compo- 
sition and (nested) bounded minimum operator. It is also easy to see from [10] 
that E(/C) = [7L, BR], On the other hand, we prove the following theorem. 

Theorem 1. There is a function / : N — t N such that 

[C(/),M]^[C(/),BR] = E(/). 

This means that unnested bounded /x-operator is insufficient to generate the 
elementary closure of a function. In contrast, we also show that for any /, 
[[C(/),M],M] =E(/). 

Our main concern will be the counterpart of these results in formal arith- 
metic. We consider the language of first order Kalmar elementary arithmetic 
EA (with function symbols for all elementary functions and the only relation 
symbols < and =) enriched by a new unary function symbol /. The set of open 
formulas in this language will be denoted C(/). The set of bounded formulas, 
that is, the formulas obtained from atomic ones using boolean connectives and 
bounded quantifiers (/ may occur in bounding terms) is denoted Z\q(/). Re- 
lativized elementary arithmetic EA(/) is the extension of EA in the enriched 
language without any additional mathematical axioms for /. 

We study the comparative strength of the least element principle for open and 
for bounded formulas. For a formula R[x), let L/j denote the following formula: 

i?(a) — ^ < a [Rix) Afy < x -ii?(j/)). 

Of course, we assume that R[x) may involve other parameters apart from x. 
LC[f) will denote the set of formulas Lr for all open R] LAo{f) is similarly 
defined. By abusing the terminology, LC(/) will also denote the theory axio- 
matized over EA(/) by this schema. The related induction schema is similarly 
defined: Ir denotes the formula 

R(0) A Vx < a (R(x) — t R[x + 1)) — t R[a), 

iC(/) denotes the set of formulas Ir for all open R, IAq[/) denotes the set of 
formulas Ir for all bounded R. 

Obviously, for any formula R, the formula L^r implies Ir, and Iyu<x -nR(u) 
implies Lr. This shows that the schemata IAo{f) and LAo{f) are equivalent 
over EA(/). Notice, however, that the formula Vm < x -^R[u) involves bounded 
quantifiers. In fact, over EA(/) the induction schema iC(/) turns out to be 
strictly weaker than the corresponding least element principle LC(/). This fact 
is related to the question of separating the schema of arithmetical Z\i-induction 
from the i7i-collection schema [4,6]. We give a proof of this fact in a subsequent 
paper. 

Our goal here is to prove the following result. 



Theorem 2. LC{f) LAo{f). 




392 



L.D. Beklemishev 



Before starting with the proof, let us notice that the theorem above is sen- 
sitive to the presence of additional axioms for /. For example, if the additional 
axioms expressing that / is any of the usual fast growing functions of the Grze- 
gorczyk hierarchy are added to LC(/), then the schema LAo{f) will be provable. 
In fact, an axiom asserting the monotonicity of / and an elementary definition 
of the graph of / suffice [1], As a trivial example consider the axiom Vx/(x) = 0. 
In this case both theories are equivalent to the elementary arithmetic EA. 

The proof of Theorem 2 goes in two relatively independent steps. The first 
step is a proof-theoretic reduction of the question of separation of the two axiom 
systems to a purely computation-theoretic question. This will be a more or less 
straightforward application of Herbrand’s theorem for 3V formulas. The second 
step is a recursion-theoretic construction, which allows to separate the classes of 
computable functions resulting from the previous Herbrand analysis. This result 
strengthens Theorem f and is obtained by a slight modification of its proof. 

Applications of Herbrand’s theorem for 3V formulas have proved to be very 
useful in the questions of separating the systems of bounded arithmetic. Connec- 
tions between the classes of functions representable in systems of bounded arith- 
metic and bounded query computation have also been established (see [7]). This 
paper shows that a similar methodology is useful in the context of subrecursion 
and subrecursive arithmetic. However, there are some notable differences. An 
essential feature of our techniques is that we deal with function oracles, whereas 
bounded query computation has mostly been considered for the set oracle Turing 
machines. This difference seems to be essential, e.g., the problem of computing 
the maximum of a function has little meaning for 0-f-valued functions. 

3 Herbrand Analysis 

Recall that / denotes the function /(x) = (/(O), . . . , /(x)), assuming some stan- 
dard elementary coding of finite sequences of numbers. Notice that the graph of 
/ can be defined in the language of EA(/) by the following bounded formula: 

/(x) =[y e Seq A lh{y) = x + f A Vi < x {y)i = /(i)]. (f ) 

The following lemma is straightforward, but we shall give a detailed argument 
in order to see how much induction is actually used. For n > f let I7^(/) and 
Un{f) denote the classes of formulas obtained from C(/) by n alternating blocks 
of bounded quantifiers, starting from V and 3, respectively. For technical reasons 
(that will only be essential in Section 5) we assume that all the bounding terms 
are elementary, that is, do not involve the function symbol /. 

Lemma 1. LAo{f) F Vx3y/(x) ~ y. 

Proof. By induction on x we first prove the following statement: 

Vx [3m < xfi < X f(i) < /(m)] . 

The formula in square brackets (let us denote it y(x)) is bounded and, in fact, 
belongs to the class E\[f). Moreover, the induction step Vx (y(x) — t y(x + f )) 
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is obviously provable in EA(/). Hence, this argument can be done in 
Further, taking y = f[u) we can conclude within that theory and within LAo{f) 
that y = maxi<j; f[i) exists. 

As a separate argument we now prove the following statement: 

\/i < X f[i) < y — t < fe(x, y) f[x) ~ u, 

for a suitable elementary term fe(x, y) that bounds the code of a sequence given its 
length and a bound to its elements. This statement follows by the least element 
principle, for f[x) is the least element v < b[x,y) such that \/i < x f[i) < {v)i. 
(This holds under the usual conventions on the coding of sequences.) Thus, this 
part of the argument is formalizable in LIIi[f ). 

In Section 5 we improve on the first part of the above argument and show 
that the statement Vx3y/(x) ~ y is provable in L77f(/). In fact, LI7f(/) is 
shown to be equivalent to LAo{f)- Our main aim in this paper is to show that 
the totality of / is not provable in LC(/). 

The following easy lemma states that symbols for all functions of the class 
[C(/),M] can be introduced in a definitional extension of the theory LC[f). 
First, for any formula R[x) € C(/) we introduce a symbol nia for the function 
fj,x < a. R{x) (here and below we ignore possible additional parameters in R 
and rnji). Second, let Mji denote the following formula: 

R{a) -t {R{mR{a)) A Vy < m/j(a) ^R{y)). 

Let LC[f)° denote the extension of EA(/) by symbols rnR^x) for all R € C(/) 
and the corresponding axioms Mr. 

Lemma 2. LC(/)° is a conservative definitional extension of LC[f). 

Proof. The two things to notice is that axioms Mr logically imply the corre- 
sponding axioms Lr (because Mr implies R[a) — t rnR^a) < a), and that Lr 
also implies that the minimum is unique. 

Notice that LC(/)° has a purely universal axiomatization. A version of Her- 
brand’s theorem for 3V formulas suitable for our present purposes reads as follows 
[3]. 

Lemma 3. LetT he a theory axiomatized hy a set of purely universal formulas, 
and let rp[x,u,y) be an open formula such that T h 3yyu/p(^x,u,y). Then there 
are terms R[x), ti(x, Uq), . . . , t„(x, Mqj • • • j such that 

T h (p{x,to{x),uo) V (p{x,ti{x,uo),ui) V ... V (p{x,t„{x,uo , . . . 

We now apply this theorem to the formula 3yf(x) oz y. In other words, we 
take T to be LC[f)° and :p(x, u, y) to be (u < x — ^ /(«) = (y)w) and obtain the 
following corollary. 
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CorollEiry 1. //LC(/) h /(x) ~ y, then there are terms to[x), ti[x,UQ), 

. . . , tn(^x,uo, . . . in LC(/)° such tha,t the following disjunction holds for 

any f and all x,uq, ... € N (and is, in fact, provable in LC[f)° ): 

{uo <x ^ f{uo) = {to{x))„„) V 

(mi < X /(ui) = (ti(x,Mo))«i) V ••• (2) 

(^Un X f {Unj — {tni^X , Uq , ■ ■ ■ , U^—l ) ) . 

In order to compute /(a) we do not need to know any values of / outside 
the interval [0,a]. This idea is captured in the following definition of a-reduced 
[C(/), M]-term t, where a is a distinguished free variable of t. 

A term t is a-reduced, if every term s such that /(s) is a subterm of t gra- 
phically has the form s = min(so,a), for some term sq. (We also consider the 
subterms /(s) occurring inside the /x-operators pi < to- R{i), that is, in R and 
R.) 

The following corollary allows us to restrict our attention below to the redu- 
ced terms. 

Corollriry 2. In the formulation of Corollary 1 we can assume all the terms 
to{x), ti[x, uo), . . . , tn[x, uo , . . . , Mn-i) to be x-rcduccd. 

Proof. Let the terms ti for i < n satisfy the conclusion of Corollary 1. Replace 
all subterms of the form /(s) occurring in one of the terms ti by the terms 
/(min(s,x)). (We also make the substitution inside the subterms of the form 
pz < t. R{z), that is, in t and R.) Each term of the resulting sequence t([x), 
t'i[x, Mo), . . . , tf[x, Mo, . . . , M„_i) is x-reduced. We claim that this sequence also 
satisfies the conclusion of Corollary 1. 

Indeed, the sequence of terms t^fx), ti(x, Mo), . . . , t„(x, Mo, . . . , m„_i) is sup- 
posed to satisfy the disjunction (2) for any function /. Let the function f coin- 
cide with / on the interval [0, x] and let f'{y) = f{x) for y > x. Then, obviously, 
f'{x) = /(x). Moreover, the value of f'{s) for any s coincides with /(min(s,x)). 
Hence the value of any term t[ for / coincides with the value of p for f' (easy 
induction on the build-up of p). It follows that the sequence ti satisfies the 
conclusion of the corollary. 

The next section will be devoted to the proof of the fact that for a suitably 
chosen / a sequence of (x-reduced) terms satisfying (2) cannot exist. This will 
be preceded by a proof of Theorem 1. 

4 Bounded Query /x-Programs 

Every term t € C(/) can be considered as a program with an oracle for a 
function /, which may only ask a bounded number of oracle queries (this number 
is bounded by the number of occurrences of the symbol f m t and does not 
depend on the input of the program). The running time is then bounded by an 
elementary function of the size of the input together with all the oracle answers. 
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For technical reasons it will be convenient for us to deal with terms from C(/) in 
the format of programs (this fixes a specific order of subterms of a given term). 

A simple program R \s a sequence of assignments of the following kind: 

j/o := f{to{x)); 

yi := f{ti{x,yo)); 

Vn • f {prhix ^yo^ ■ ■ ■ ■) Z/rr— 1 ) ) 

R := R{x,yo , . . . ,y„). 

Here to, • • • ,tn are elementary terms, x are the input variables, and R is an ele- 
mentary output predicate. (We shall only consider simple programs that compute 
predicates, that is, return true or false.) The number n is called the length of 
the program R, and y-i are the inner variables of R. 

Execution of a program for a given oracle function / : N — ^ N is defined in 
the obvious way. If / is only a partial function, then the result of the execution 
of a program may not be defined (this happens, if the value of some term ti 
computed during the execution of the program does not belong to dom[f)). A 
program R is a-reduced, if all the terms tj of R have the form min(t(, a), for some 
elementary term t[, where a is a fixed input variable. 

Clearly, any predicate R € C(/) can be rewritten as a simple program. 
Moreover, an a-reduced predicate is represented as an a-reduced program. 

Suppose A is a simple program of length n, and let the values of all input 
variables be fixed. Then the output of R can be considered as a boolean-valued 
function of the oracle answers obtained during its execution. However, there 
may be some dependencies between these answers. We will show that, under 
certain conditions on the values of /, these dependencies can be simplified. This 
is formally expressed by Lemma 4 below. The idea behind it is that by a sui- 
table restriction of the (infinite) range of /, and hence of the range of possible 
oracle answers, one can insure that the output of any given simple program 
does not actually depend on the those answers. This idea already has a Ramsey- 
type flavour and, indeed, Ramsey theorem plays a central role in the argument. 
Technical details follow. 

Let / : D — t N be a partial function with a finite domain D, and R C N be 
an infinite set. Let -< be a linear ordering on [0, n], it will be interpreted as a 
certain preference ordering of the inner variables yo, ■ ■ ■ ,yn of R. A sequence of 
numbers c = (cq, . . . , c„) from the interval [0, a] and a sequence (j/o, • • • , J/n) are 
coherent if they satisfy the following conditions: 

/-constraints: Vi < n(cj G dom(/) ^ yi = f{ci))', 
c-constraints: Vi, j < n(ci = Cj ^ yi = yj). 

If some of the following additional assumptions are satisfied, we speak about Y -, 

or (y, -<)-coherence. 

T-constraints: Vi < n((y ^ dorn[f) ^ yi £ Y); 
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-<-constraints: If i,j < n are such that Cj,Cj ^ dorn{f) and 

(VA; <i Ck ^ Ci) & (VA; < j Ck ^ Cj), then i -< j implies j/i < yj. 

Clearly, any coherent pair of sequences represents an extension f' of the given 
function / to the domain DU {cq, . . . , c„}. Y - and -< -constraints tell us that the 
values of this function are chosen in a pre-specified order from a given set Y . 
Given a sequence c, one can define the subsequence of essential elements of c 
as follows. Co is essential if Cq ^ dom[f). cj.^i is essential if cj.^i ^ dom(/) and 
for no i < A; do we have ci = Ck+i- Note that the sequence of essential elements 
of c only depends on /. -<-constraints state that the order of the values of f' on 
essential arguments agrees with the preference order -<. 

Notice the following obvious monotonicity property: if a pair of sequences is 
y-coherent, then it is also y'-coherent for any set Y' N Y. 

Let a reduced program R and the values of the input variables of R be fixed. 
Let a be the value of the distinguished variable of R. 

Lemma 4. For any f, Y and -< as above, one can find an infinite subset Y' C Y 
and a sequence c = (cq, . . . , c„) such that any sequence y = (j/o, • • • , Vn) (^^ C)- 
coherent with c yields an extension f of f for which the program R terminates. 
Moreover, the values of the terms ti computed during the execution of R on f' 
equal the constants Ci, and the output value of R is constant (either R is true 
for all such sequences y, or false for all of them). 

Proof. We successively construct infinite sets Lo 5 W N . . . N and the 
corresponding numbers (cq, . . . , c„), so that the coherent values of /' taken from 
set y on arguments (cq, . . . , Cj) allow to execute the program R up to line i. 

Since the values of the input variables are fixed, we simply define cq to be 
the value of to and let Yq equal Y . Assume Yk and c = (cq, . . . ,Ck) are already 
constructed. Consider the term tkpi{yo, ■ ■ ■ ,Vk)- First, substitute in tkpi the 
constants f{ci) for all variables y-i such that (y € dorn[f). Second, substitute for 
yj the variable yi, if Ci is essential, Cj = ci and i < j . Call the resulting term t'. 

Obviously, the value of tkpi on any sequence y coherent with c coincides 
with the value of t' on the subsequence of y corresponding to essential elements 
of c. 

The ordering -< of the essential elements of c allows us to naturally associate 
with t' a function 

Ft' '■ [Ffc]^ — t [0, a], 

where p is the number of arguments of fi (and coincides with the number of 
essential elements of c), and [X]p denotes the set of all p-element subsets of X. 

The function cpt' is defined as follows. Let e : [l,p] — ^ [0, A;] enumerate the 
essential elements (cgi, . . . , Cgp) of c. Let tt be the unique permutation of [l,p] 
such that 

7ri < irj <^=y ei -< ej, 

that is, eoTT^^ enumerates the essential elements in the order induced by -<. We 
define 

t (yi, . . . , Vp ( t ("Utti , - - - , "^TTp) * 
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Any p-element subset b C E/. can be uniquely ordered into an increasing 
sequence v of elements of Yk- We define = t"{y). 

By the infinite Ramsey theorem there is an infinite subset Yfc+i C Yk such 
that is constant on Let cj.^i be the constant value of Lpf/ on . 

We show that tA:+i(j/o, • • • ,2/*) = Ck+i for all sequences (j/o, • • • ,2/*) which are 
(Yfc+i, A)-coherent with c. 

Indeed, let (j/o, • • • jJ/ft) be (L/j+i, -<)-coherent with c. Then 

f-A:+l(yOj • • • TUk) f (j/eOj ■ ■ ■ ^ Uep) 

f (Z/e7T“10? • • • ? Veil — ^p)‘ 



By -<-coherence we have 

Vew-^i < Vew-^j -< i < j. 

This means that {Ve-K-^O: ■ ■ ■ lUew-'^p) is an increasing sequence, hence by the 
choice of Yp+i 

f (Z/e7i — 1 0 ? • • • : Veil — ^p) Opy r . 

Thus, we have constructed the required sequence (cq, . . . , c„) and a set T„, which 
allow to execute R up to line n. 

To ensure that the output value of R is constant we apply Ramsey theorem in 
the same fashion to the predicate R{yo, ■ ■ ■ ,yn) considered as a boolean valued 
function of y = (j/o, • • • Then we obtain a subset Y' C T„ such that R is 

constant on any sequence y which is {Y' , -<)-coherent with (cq, . . . , c„). 

Lemma 5. The set Y' can he chosen uniformly in -Y, tha,t is, given f , Y and the 
values of input variables of R, one can point out a subset Y' C Y that satisfies 
the conclusion of Lemma f for a,ny preference ordering 

Proof. This follows from the fact that there are only finitely many possible orde- 
rings of [0,n], Thus, we can enumerate all such orderings -<o, • • • , ~<s- Applying 
Lemma 4 s + 1 times we successively construct infinite sets To 2 2 2 

Ys = Y' . Then for any ordering -<i one can point out a sequence Ci such that 
any [Y' , -<i)-coherent sequence y is also [Yi, -<i)-coherent with Ci (by the mono- 
tonicity property) and thus satisfies the conclusions of the previous lemma. 

Next we define /x-programs. A y-operator is an assignment of the following 
form: 

y := yi < z. R[i,x), (=i<) 

where i? is a simple program with the input variables as shown. A /x-operator 
is a-reduced, if the simple program R is. If the variables x and z are already 
evaluated, then the output y of the /x-operator is defined, as usual, to be the 
minimal i for which R[i,x) holds, if such an i < z exists, and y equals z Y 1, 
otherwise. A y-program P \s a sequence of simple assignments of the form y := 
t[u) {t[u) is an elementary term), y := f[x) and of /x-operators (=i<), which 
satisfies the following natural variable restrictions: 




398 



L.D. Beklemishev 



1) any inner variable is assigned its value in F only once; 

2) for any occurrence of any of the above kinds of operators, u, x, z and x 
are either input variables or inner variables introduced earlier than y. 

We will only consider /x-programs that are reduced in the sense that all the 
/i-operators are a-reduced, for a fixed input variable a. Obviously, such programs 
suffice to represent any a-reduced [C(/),M]-term. 

Notice that there can be various possibilities of implementing /x-operator 
on different machines. A simple deterministic strategy would be to evaluate 
successively i?(0), i?(f), . . . ,R{z) until the minimal i for which i?(i) evaluates 
to true is found. However, there is a possibility of implementing the /x-operator 
on a parallel machine, where we independently evaluate A(0), A(l), . . . , R{z) on 
different processors and then run through their single-bit outputs to find the 
minimal i for which R{i) holds. Notice that these independent processors can be 
bounded in that each one of them may only ask a uniformly bounded number of 
oracle queries, whereas the simple deterministic strategy requires a potentially 
unbounded number of oracle queries. Another important restriction is that each 
of the processors only returns a single bit, that is, it cannot exchange too much 
information with other processors. This nondeterministic picture is useful for 
the understanding of our formal construction below. 

Suppose we are given a /x-operator and the values of its input variables. 
Further, assume that an infinite set Y and a finite function / are given. We 
shall describe a procedure that allows to evaluate the /x-operator under some 
conditions on the choice of additional values of / . Simultaneously we extend / 
(adding no more than rx + 1 new elements to its domain), and go from Y to an 
(infinite) subset Y' C Y . 

First, consider the simple program R{x) for the input value x = 0. By Lemma 
5 we obtain an infinite subset Fq C F such that any ordering -< of the inner 
variables of R uniquely determines a sequence c together with an output value 
of i?(0). If for one of the finitely many orderings -< the corresponding value 
equals true, then we evaluate /x to 0, set F' = Fq \ [0, max(/)] and extend / 
to the set {cq, . . . ,c„} by choosing a suitable tuple y (F', -<) -coherent with c. 
(Here max(/) is the maximal value of /, recall that dom[f) is finite.) 

Otherwise (if all preference orderings yield the output value false), then 
we consider the input value x = 1 for R and construct the corresponding set 
Fi C Yo- Again, /x is evaluated to 1, if at least one of the orderings yields value 
true, and to false, otherwise. 

Proceeding in this way, we construct subsets Fq N Fi D . . . 3 Fx, for k < z. 
At the end, /x is evaluated to A;, if a A; is found for which R[k) evaluates to true 
under this procedure, or /x is evaluated to z+ I, otherwise. In the latter case we 
define Y' = Y^ and f' = f . 

Notice that as the result of running this procedure we evaluate the /x-operator 
and simultaneously define an infinite subset Y' ^Y and a function f extending 
/. Obviously, this extension procedure preserves the injectivity of /. 

Notice the following important property of this construction. 
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Lemma 6. Let the evaluation procedure yield Y' and f, and let g he any total 
injective function extending f such that g(N\dom(^f')) C Y'. Then the value of 
the fj, -opera, tor computed for the function g coincides with the result of the above 
evaluation procedure. 

Proof. Consider the evaluation procedure. If p was evaluated to 0, this means 
that i?(0) evaluated to true under some preference ordering. Yet, the essential 
arguments and values in that case are fixed, that is, if(0) evaluates to true under 
f , and hence under g. 

If p was evaluated to 1, then R{1) evaluates to true under f' and g for 
similar reasons. Let us execute the simple program i?(0) for g. Notice that by 
the construction of f', /'(N\dom(/)) C Y'. This means that all values assigned 
to the inner variables of R during the execution of R{0) on g are elements of Y' . 
Moreover, the sequence of these values y and the corresponding arguments c of 
g satisfy /-, c- and T '-constraints. 

Further, by our assumption g has different values on different arguments. 
Hence, the values y-i (for essential arguments Ci) are strictly linearly ordered. 
Let -< be any extension of the induced linear ordering to [0, n\ (it does not 
matter, how the inessential arguments are ordered). Then y and c will be (T', -<)- 
coherent. By the construction of Y' , the value false of R{R) is then uniquely 
determined for any (Y', -<)-coherent sequences, that is, this value coincides with 
the computed value of R{R) on g. 

The argument showing that the values of R{j) for j < i are preserved, for 
the case that the /r-operator was evaluated to i > 1, is similar. 

Now we show that the function / cannot be computed by a /x-program. 

Lemma 7. There is a total function / : N — t N such tha,t for any p-program 
F[x) there is a number a such that P{a) ^ f{a). 

Proof. First of all, by Corollary 2 it is sufficient to construct an / that falsifies 
any x-reduced /x-program (actually, we apply a particular case of this corollary 
for a sequence consisting of a single term to)- 

We enumerate all such programs Po, ■ ■ ■ , Pa, ■■ ■ and construct / in such a 
way that by the stage a the function / is defined on a finite domain Da and 
falsifies the programs Pq, . . . , Pa-i- We set Dq = 0. 

Consider the program Pa{x). Let q be the total number of occurrences of 
the symbol / in Pa, where we also count the occurrences of / inside the p- 
operators. Choose a number a so large that there are more than q elements in 
the set [0, a] \ Da- Evaluate Pa{a) along with constructing an infinite set T C N 
and an extension of / according to the following rules. 

Initialize Y = {x € N | x > max(/)} [dom[f) = Da is finite). 

Simple assignments of the form y := t[z), where t is an elementary term, are 
evaluated in the usual way, / and Y are not changed. 

An assignment of the form y := f[z) is treated as follows. If z G dorn[f), 
then return the corresponding value of /, do not change f or Y . If z ^ dorn[f), 
then set f[z) = min(Y), add z to Da and delete min(Y) from Y . 
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An assignment of the form y := jJ-i < z. R(i) is treated in accordance with 
the evaluation procedure described above (/ and Y are changed as specified in 
that procedure). 

Clearly, the program Pa{a) will be eventually evaluated, and / will be defined 
at no more than q new points of the interval [0, a]. Hence, there will be a point of 
that interval, where / is not yet defined. Define the value of / at such points to be 
any sequence of different elements of Y , each of which is greater than the output 
of the program Pa{a). (This is sufficient for our purposes, for maxi<a /(*) < 
/(a).) End of stage a of the construction of /. 

Now we have to show that / as constructed really falsifies the program P^ 
on [0, a]. It suffices to show that the computation of P^ with the oracle function 
/ yields the same result as our evaluation procedure. We prove this by induction 
on the length of P^. Simple assignments obviously yield the same results. 

Consider the crucial case of a /r-operator. Let fi and Yi be constructed by 
the evaluation procedure for this /x-operator. Obviously, / restricted to [0, a] is 
an injective function extending fi. Besides, by the construction only the values 
from Yi are added to /i at later stages of the evaluation procedure for the given 
/i-program. Therefore, Lemma 6 can be applied, which completes the induction 
step and the proof of the lemma. 

Obviously, the function / belongs to [C(/),BR] (see [10]). (It follows that 
the class [C(/),BR] coincides with the elementary closure of /.) On the other 
hand, by Lemma 7 there is an / such that / is not in [C(/),M]. This completes 
the proof of Theorem 1. 

Theorem 1 contrasts with the fact that doubly nested /x-operator suffices to 
generate the elementary closure. 

Lemma 8. For any function f , 

[[C(/),M],M] = [C(/),BR] = E(/). 

Proof. If R e C(/), then the predicate Vi < x R{i) belongs to [C(/),M], for 
Vi < X R[i) -f4- X + 1 = /xi < x.^R{i). 

Defining t[x) = yz < x.Yu < x f[u) < f[z) yields 

max/(i) = /(i(x))G [[C(/),M],Mj. 

Z<X 



On the other hand, the relation /(x) ~ y (see (1)) belongs to [C(/),M], and 
there is an elementary function g{x,y) such that for all x, 

/(x) = /XXX < (/(x, max/(i))./(x) ~ xx. 

i<x 



Hence, / G [[C(/), M], M] as a composition of two functions from this class. But 
C(/) = E(/). 




Open Least Element Principle and Bounded Query Computation 401 



In order to prove Theorem 2 we need a somewhat sharper separation result. 
The sequence of terms ti(x,Mo), • • • , tn{x,uo, . . . ,Mn-i) that appears in 

Lemma 3 and Corollary 1 can be considered as a kind of teacher-student game 
[7]: the student first tries to compute f[x) with a program to{x). If the answer 
is correct, the student wins. If the answer is incorrect, the teacher has to show 
him/her a counterexample uq demonstrating that to fails. The student then has 
the right to come up with a better solution ti[x,Uo) that may depend on the 
teacher’s example uq, and so on. The game has boundedly many rounds. 

We have to show that the student who is only able to compute bounded query 
/i-programs cannot, in general, interactively compute / in the above sense. We 
will essentially use the fact that the teacher can only help the student boun- 
dedly many times. A sequence P of (reduced) /x-programs Po{x), Pi{x,uq), . . . , 
Pn{x,uo, . . . ,Mn-i) will be called an interactive la-program. 

Lemma 9. There is a function / : N — t N such tha,t for any interactive fa- 
program P there is a number a and a sequence Uq, . . . of elements of [0,a] 
such tha,t the student looses the game P{a) with the teacher’s counterexamples 

Uq, . . . , Uri' 

f{uo) ^ (/h(a))«o 

f{ui) ^ {Pl{a,Uo))m A ••• 

Proof. The argument is very similar to the one for Lemma 7. We only have to 
take care that the interval on which the game is being played has a place for all 
the teacher’s answers. 

Enumerate all possible interactive /x-programs. Let P„ be the program to be 
falsified at stage a, and let / be already defined on a finite domain Da - Let q be 
greater than the total number of occurrences of the symbol / in P plus n. Fix 
an a such that [0, a] has more than q elements outside Da- 

Evaluate Pq as described in Lemma 7. Find the minimal mq such that xxq ^ 
dom[f), define /(xxo) to be the minimal element of Y bigger than the output of 
Pq and throw out all elements of Y smaller than /(mq)- Proceed in the same way 
with the evaluation of Pi(a,xxo)- 

Obviously, after Pq, is evaluated, less than q many new elements are added 
to the domain of /. Hence, all mq, • • • , are successively defined and falsify P„. 

This completes the proof of Theorem 2. 



5 Further Remarks 

In this section we consider the strength of the induction and the least element 
principles for the classes of formulas between C(/) and Ao{f). First, we state 
some equivalences. Deductive equivalence of theories will be denoted =. 

Lemma 10. i P)))/) = . 
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Proof. This is proved by the usual trick of Parsons: induction for a formula (p(x) 
can be reduced to the induction for -Kp(a— x), where a is a free parameter. The 
reduction can be carried out in EA(/). 



Lemma 11. iiT^(/) = 

Proof. This follows by the usual proof of the least element principle by induction: 
I‘\/u<x -~R{u) implies Lr, and the class of 17^(/)-formulas is closed under bounded 
universal quantifiers. 

Notice that the dual form of this lemma for n = 1 is wrong. This can be seen 
from the next lemma. 

Lemma 12. The following theories are equivalent: 

1. LU\{f) = LC{f); 

= pniif), forn>\. 

Proof. We only prove Part 1. The proof of Part 2 is similar. 

We are to derive inside LC[f) the formula where (p(a) has the form 
3 m < t[a) (possibly with some additional parameters). Here t[a) is an 

elementary term. 

Consider the set of pairs S = {(x,m) | u < t(x)} and order it as follows: 

(xi,Mi) -< (x2,M2) 4 =k (xi < X2 V (xi = X2 A Ml < M2)). 

Obviously, there is an elementary isomorphism between {S,~<) and (N, <), so 
within LC(/) one can prove the least element principle for open formulas for 

{S,P). 

In order to prove the formula we formalize the following argument within 
LC[f). Assume 3m < t[a) then for some u satisfying the pair 

(a, m) is in S . Applying the least element principle for (S', to the C(/)-formula 
-i/'o('2^) = V’(('2^)i; (-2^)o) we obtain a pair (x,m) A (m,m) such that 

V'(u,x) A Vj/,w ((j/,w) A (x,m) -itlj{w,y)). 

We claim that x is as required. Obviously, x < a and 3u < x -i/'(v,x). On the 
other hand, for all y < x, w < t[y) there holds -i-i/’(w,y), because all such pairs 
{y,w) belong to S and proceed (x,m) in the sense of A. 



Corollriry 3. The following theories are equivalent: 

1. LC{f) = LUlif) = iAt(/) = iiTf(/), 

A Ln’iif) = LSifif) = lElif) = inlif). 

Let EA(/) denote the theory formulated in the language of EA with an extra 
function symbol /. In addition to the axioms of EA it has the following two 



axioms: 
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1. Vx (/(x) € Seq A lh[f[x)) = x + 1), 

2. Vx,y (x < y /(x) = (/(y) t x)). 

Here (z f x) denotes the natural elementary function selecting the initial segment 
of length x+ 1 of a sequence coded by z. Further, let iC(/) denote the extension 
of EA(/) by the schema of induction for open formulas. 

The following lemma is established in [1], Its proof can be obtained by for- 
malization of the equivalence C(/) = E(/). 

Lemma 13. iC(/) contains LAq[/) and LAo{f), under the interpretation of 
/(x) as the term (/(x)),^. 

Notice that bounding terms occurring in the instances of LAo{f) may actually 
involve /. 

As it is shown in [1], LAo{f) also naturally interprets iC(/), see equation 
(1). The following lemma is an improvement of this. 

Lemma 14. Under the natural interpretation of f , L]j\[f ) contains LC[f ). 

Proof. We first recall that by the proof of Lemma 1 

njl{f) h Vx3y/(x) ~ y. 

Hence, the same formula is provable in LIl\[f). 

Second, we use an argument similar to the proof of Proposition 5.11 from [1] 
(which, in turn, derives from [5]). LC(/) can be reduced to the least element 
principle for positive Z’(’-formulas in the graph of /, more precisely, the formulas 
built up from elementary ones and /(x) = y using A and bounded existential 
quantifiers. This relies on the monotonicity of /. The natural translation of the 
formula fix) = y belongs to 17('(/), hence LC[f) is interpretable in TZ'|'(/), 
which by Corollary 3 is equivalent to Ln\[f). 

Thus, the hierarchy of least element schemata in our setting collapses above 
the level of Il\[f). 

Corollary 4. LIIi{f) = LAo{f). 

Conclusion: The theories considered so far fall into four distinct classes: 

EA(/) C lC{f) c LC{f) c Ln\{f) = LAoif). 

Main theorem of this paper shows that LC(/) and LAo{f) are really distinct. 
It is also possible to separate /C(/) from LC[f) and from EA(/). These sepa- 
ration results are tightly related to the question of positioning the schema of 
arithmetical Z\i-induction in the hierarchy of subsystems of Peano arithmetic. 
The proofs of the latter two results will be given in a subsequent paper. 
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Abstract. We present a game model of the untyped A-calculus, with 
equational theory equal to the Bohm tree A-theory B, which is universal 
(i.e. every element of the model is dehnable by some term). This answers 
a question of Di Gianantonio, Franco and Honsell. We build on our earlier 
work, which uses the methods of innocent game semantics to develop a 
universal model inducing the maximal consistent sensible theory T-L*. To 
our knowledge these are the hrst syntax-independent universal models 
of the untyped A-calculus. 



1 Introduction 

We aim to construct a universal model (i.e. every element of the model is the 
denotation of some term) of the pure untyped A-calculus which induces the Bdhm 
tree A-theory B, by building on the game models presented in [4]. Although the 
general approach is innocent in the sense of [3] and [7], the two-player games we 
use are simpler and can be considered a special case where moves are neither 
questions nor answers but simply “declarations”. A notable feature of game 
semantics is that the A-definable strategies are effective methods for copying 
moves uniformly from one “component” of the game to another. For example, 
the identity strategy on an arena A A is everywhere copycat i.e. P always 
plays back every 0-move (but in the opposite component of A). The key idea 
is that the innocent strategies definable by untyped A-terms are, what we call, 
effectively almost- everywhere copycat (EAC). Informally this means that at every 
position, except in response to finitely many possible 0-moves, the strategy is 
constrained to behave, from that point onwards, uniformly in an everywhere- 
copycat fashion, just like the identity strategy. Effectively here means that (not 
only is the strategy itself recursive but also) at every position, the boundary 
of that finite part of the game tree in which the strategy is not forced to play 
copycat must be computable. 

We find it convenient to introduce innocent strategies in a concrete setting 
whereby (tree) arenas are defined as subsets of N* of a certain kind, and this 
we do in Sect. 2. Section 3 introduces the EAC strategies which give rise to 
a universal A-model Peac whose theory is the maximal consistent sensible A- 
theory TL * . The definition of such strategies uses an efficient encoding of innocent 
strategies, as partial functions from N* to tuples of numbers, which we call 
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economical form. Sections 2 and 3 should be regarded as a survey of [4], and 
this paper is a sequel to that work. The notion of EAC strategies has a natural 
extension to explicitly and effectively almost- everywhere copycat. However finding 
an ambient cartesian closed category for these strategies to inhabit proved to be 
a painful process as we briefly show in Sect. 4 - the natural analogues fail to 
work quite as intended. Once this has been overcome we use a reflexive object to 
describe a A-algebra which we call Ai . We formulate a new version of the powerful 
Exact Correspondence Theorem of the earlier work, with which we can show that 
Wf is a universal A-model which induces the intended equational theory. To our 
knowledge, X^eac and Ai are the first syntax-independent universal A-models. 

In [2], Di Gianantonio et al. have obtained game models of the untyped A- 
calculus using history-free strategies. They show that all their models induce 
the same A-theory H* and have asked for “new techniques for overcoming this 
apparent rigidity of game A-models” . This paper answers that question by con- 
structing a universal game model for the Bdhm tree lambda-theory. 

2 Arenas and Innocent Strategies 

This section and the next give a quick introduction to the basic ideas underpin- 
ning the main result of the paper. We refer the reader to [4] for further details 
and to [3] and [5] for proofs of all results quoted. We define an arena to be a 
finite tuple of nonempty trees of moves. The root of each tree is called an initial 
move. Our trees are considered “upside-down” with the root at the top, rather 
like family trees. We can also refer to the child of a node, and say that one node 
inherits from another, in the same vein. We say that moves at an even depth 
of the trees (including the roots at depth 0) are 0-moves, and moves at an odd 
depth are P-moves. 0-moves are often denoted by • and P-moves by o. 

We will only be interested in countably branching, countably deep trees. Thus 
we can encode each tree of the arena as a subset of N* ^ by inductively labelling 
the root as e and the child of the move s as s ■ n (we use the notation s, t 
etc. to denote sequences). Hence each move of each tree is associated uniquely 
with a sequence of natural numbers. Conversely, given any subset H C N* which 
is prefix-closed and has the property that whenever s-n € H we have s-rn £ A for 
each rn < n, we can form an arena of one tree where the moves are the elements 
of A, ordered by prefix. Henceforth by arenas, we shall always mean arenas in 
sequence-subset (ofW) form. For example, the empty sequence () is an arena, 
which we call the empty arena; ({&'}) is the minimal one-tree arena consisting 
of a root node; the maximal one-tree arena, consisting of an infinitely deep, 
infinitely branching tree, is (N*). As the empty arena, the minimal and maximal 
one-tree arenas are important, we shall name them E,M and U respectively. 

There are two major constructions for forming arenas. Suppose A = {Ai , . . . , 
Am) and B = (Hi, . . . , H„) are arenas. 

— The product arena Ax B is the “disjoint union” of the trees of A and B, the 

concatenation of their tuples. Formally A X B = (Hi, . . . , Am, Hi, ... , H„). 

^ We do not include 0 in the set N, and write Kfo for Kf U { 0 }. 
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— The function space arena A ^ B is constructed as follows: the initial moves 
of A A' B are those of B; and to the tree below each such initial move, we 
graft onto it a copy of A. More precisely A ^ B = (Ci, , Cn) where 

C'i = {e}u{a-s| f<a<mAs€ A^ }U{(a + m)-s \ a ■ s <E Bi}. 

The reader may wish to check that M ^ M = ({e,l }), and that U ^ U and 
U are equal as arenas. 

A justified sequence of an arena A is a sequence of moves of which each 
element except the first, which must be an initial move, is equipped with a 
pointer to some previous move. We call the pointer a justification pointer and if 
the move rn^ is pointed to by m we say that rn^ justifies rn. We say that a move 
rn~ in a justified sequence hereditarily justifies rn if one can reach m~ from m 
by repeatedly following justification pointers. A justified sequence s is said to 
be well-formed if elements of s alternate between P-moves and 0-moves and if 
rn £ s is justified by m~ then the move rn is directly beneath m~ in the tree of 
the arena^. Henceforth all justified sequences are assumed to be well-formed. 
The P-view of a justified sequence s, written is given recursively by: 

T”' = e for initial moves e 

'”s • nP = ■ rn for rn a P-move 

■ t ■ nP = V ■ ■ m for m an 0-move justified by 

The definition of 0-view, ,_Sj, is given analagously. 

A legal position of an arena A is a well-formed justified sequence s satisfying 
the visibility condition: for each non-initial P-move rn justified by rn~ , say s = 
ti • m • ^2 ■ m ■ ts, we have that rn £ ti ■ rn ■ t <2 ■ m . Similarly all 0-moves 
are justified by P-moves appearing in the 0-view up to that point. Then if s is a 
legal position then so are '"s"' and ,_Sj. By a P-view of an arena A, we shall mean 
a justified sequence which is the P-view of some legal position of A. 

Lemma 1 (View Characterisation). A justified sequence of an arena A is a 
P-view if and only if it is well-formed and every non-initial 0-move is justified 
by the immediately preceding P-move. 

Within arenas there are games played out between P and O. A P-strategy 
a for a single-tree arena A consists of a prefix-closed subset of legal positions 
of A which is deterministic (if s • m G ct and s ■ rn' e a for P-moves rn and rn' 
then rn = rn') and such that if s ■ rn £ a for a P-move rn and s ■ rn ■ rn' is a 
legal position of A then s ■ rn ■ rn' G cr. An 0-strategy is defined analogously. 
However we are more often interested in P-strategies which we will usually just 
refer to as strategies. For a general arena A = (Ai, . . . , A„) a P-strategy is an 
n-tuple of P-strategies, one for each tree. In contrast, an 0-strategy is just a 
single 0-strategy on one of the trees, together with information which selects 
that tree. 

^ The no-dangling-question-mark condition in [3,7] (equivalently the well-bracketing 
condition) is redundant for our arenas. 
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If we have strategies a and r on arenas A ^ B and B ^ C respectively 
then we can form their composite strategy c; r on A =k C. Informally we do 
this by identifying 0/P-moves of the B component of A =k -B with P/O-moves 
of the B component of (7, and then hiding all the moves in B. This is 

reminiscent of CSP’s “parallel composition” and “hiding” operators; see [4] for a 
formal definition. Similar ideas extend to arenas of multiple trees. An essentially 
straightforward result, although tedious in proof, is that composition is well- 
defined and associative. We will only be interested in strategies with a property 
called innocence. 

A P-strategy a is innocent if for odd-length legal positions s and t and P- 
moves rn, s ■ rn £ a A t £ a A’~s^ = V ^ t ■ m £ a and the moves rn are justified 
by moves which are identical in the P-view 'W = V. i.e. P’s next move, and 
its justification, at each stage depends only on the P-view up to that point. An 
important fact is that composition of innocent strategies is well-defined (for a 
proof see [3, §5.3]): if a is an innocent strategy on A ^ B and r an innocent 
strategy on 5 =k C* then c; r is an innocent strategy on A =k C*. 

The property of innocence means that such a strategy is determined by a par- 
tial function from odd-length P-views to justified P-moves i.e. P-moves equipped 
with a justification pointer back into the P-view. In fact, given an innocent stra- 
tegy (T, we can define a canonical such function, which we write that defines 
it. A function constructed in this way is called innocent and we can formalise 
such functions. We say that / is an innocent function if / is a partial function 
from odd-length P-views in A to justified P-moves of A such that dom(/) is 
closed under odd-length prefix, and if s • m • m' € dom(/) then f[s) = rn. We 
note that such a function can only encode an innocent strategy. The conditions 
given are required to make the function “strategic” , i.e. the set of legal positions 
it describes are prefix-closed, deterministic and made up of properly justified se- 
quences of moves. These conditions are sufficient to allow us to define the reverse 
construction of a unique strategy af from an innocent function / such that the 
construction is invertible (i.e. f^^. = f and = o") £^nd it preserves and reflects 
inclusion (i.e. / C /' <;=► af C afr). Thus we can identify the representation 
by innocent function and that by subset of legal positions. 

An innocent strategy is said to be compact if the graph of its innocent function 
is finite (i.e. is defined on finitely many P-views). It is said to be recursive 
if the innocent function representing it is recursive. It is easy to see that the 
composition of two recursive innocent strategies is itself recursive. 

Definition 1. Objects of the Category of Arenas and Innocent Strategies, A, are 
arenas (in sequence- sub set form); morphisms f : A^ B are innocent strategies 
on the function space arena A ^ B. Composition of morphisms is composition 
as strategies. The Category of Arenas and Recursive Innocent Strategies, Arec? 
has recursive arenas as objects and recursive innocent strategies as morphisms. 

Theorem 1. A and Arec are both cartesian closed. 

The terminal object 1 of both A and Arec is the empty arena E, and the 
categorical constructions of product and function space are exactly the respective 
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arena constructs. The category A is enriched over dl-domains. One cannot say 
the same of AreCj because the computable partial functions do not form a 
cpo. For example, one can “approximate” the Halting Problem by computable 
functions. 

Scott has observed that every A-algebra arises from a reflexive object R in 
some cartesian closed category C; that is, there exist morphisms Fun : R — ^ 
[R =y R] and Gr : [A =y A] — t A such that Gr ; Fun = id[R^E]. Thus we 
may specify a X-algebra by a 4-tuple (C, R, Fun, Gr) (it is in fact a Ary-algebra if 
Fun', Gr = id/j); the underlying set of the A-algebra is the set C(l, R) of global 
sections. If the reflexive object R has enough points (i.e. V/, : if — t A.[Vr : 

1 — t R.r ', f = r ', g] f = g) then (C, R, Fun, Gr) is a X-model (i.e. a weakly 
extensional A-algebra). We refer the reader to [1] for a comprehensive treatment 
of the model theory of the untyped A-calculus. 

Recall that the arena U has the key property that (7 = (7 =y (7 so that in this 
case the morphisms Fun and Gr are both the identity on U . We can now define 
the first two of our game A-algebras (which are both A?/-algebras): (A, U, id[/, id[/) 
which we shall write simply as T>, and ( Arec j idc/ , id[/ ) which we shall write as 

IPrec- By abuse of notation, we shall use T> and Prec to denote the respective 
underlying sets. Clearly Prec C P. By a method of approximation we can show 
that both the Ary-algebras are sensible i.e. all unsolvable A-terms have the same 
denotation which in this case is given by the everywhere undefined innocent 
function. 

3 Effectively Almost-Everywhere Copycat Strategies 

There are three properties that allow for a more compact representation of an 
innocent strategy: 

(i) Each non-initial 0-move in any P-view must be a child of the previous move, 
and the initial move must be e. 

(ii) Given only the 0-moves of a P-view and the value of the innocent function 
on strictly shorter P-views we can reconstruct the original P-view entirely. 

(iii) The P-move to which this P-view is mapped must be a child of the move 
justifying it. 

In view of these redundancies, we encode innocent strategies a, over any single- 
tree arena, as (partial) maps from N* to N x No (where No = {0, 1,2, • • •}). We 
call this encoding the economical form of a and sometimes write it (quite 
often we abuse notation and write it too). It is defined as follows: 

: {vi, . . . ,v„) (i,p) if and only if 




fa • £ Si Sil^i S 2 S2U2 ^n—p ^n—p'^n—p ^n—p)'^n—pl) 

Justification pointers in the P-view can be deduced from the behaviour of on 
shorter P-views, and so have been omitted. Note that each Si is a sequence of 
natural numbers. 
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Furthermore, we can expand any partial function / : N* ^ N x Nq which has 
prefix-closed domain and satisfies /(v) = (Fp) 0 < p < |v| into an innocent 
strategy on U . Depending on the function, we might not need the whole of U 
to contain the strategy. We could extend this idea for multiple-tree arenas, but 
since we will not use it except on the arena U there is no need to do so. 



Example 1. The following is the innocent function of the “copycat” strategy idjy: 



r 



H-l 



1 



r 



la 



H-l 



(a+1) 



(a+l)s 



o 

las 



lash 



h- >- O 

(a+l)sh 



las 



o 

(a+l)s 



♦ I — y 

(a+l)sh 



lash 



Here s range over sequences of appropriate parity, a and h over positive natural 
numbers. The reader is invited to check that the economical form of this strategy 
is given by: e i— 1 (1,0), i i— 1 (i + 1,1) and for nonempty sequences v, vi i— 1 (i,l). 

A principle of the A-calculus is that a term can be applied successively to any 
other term. So the term Xx.x (say) is really more like ^^\xzqZiZ 2 ■ ■ .*xzqZiZ 2 ■ ■ .” 
(we use a large dot • to make the “end” of the infinite chain of abstractions really 
clear). Thus there is some notion of infinite p-expansion. If we think about the 
denotation of Xx.x in the game models, it is similarly expanded — it copies the 
whole of the first subtree to the rest of the arena, as if copying not only the 
X variable but also all of its arguments. This correspondence turns out to be 
general, and can be made precise by relating innocent strategies in economical 
form to a kind of (infinitely) p-expanded Bdhm trees first studied by Nakajima 
in [6]. We call a formal connexion of this form an Exact Correspondence Theorem. 

For a A-term s the Nakajima tree of s, written NT(s), is (informally) the 
countably branching, countably deep tree labelled as follows. If s is unsolvable 
then NT(s) =_L, the empty tree. If s has HNF Axi . . . • ysi . . . Sm then 

NT(s) = Xx\ . . .XnZQZi . . . *y 




NT(si) ••• NT(s™) NT(xo) NT(xi) 



where Xq, Zi, . . . are countably many fresh variables. The process of finding such 
fresh variables given in [6] is quite complicated. In [4] we propose a variable-free 
representation of Nakajima trees so that for a closed term s, NT(s) is represented 
as VFF(s), a partial function from N* toNxNo. Note that the “infinitely nested” 
A-abstractions of the form XziZ 2 . . . *y, which label the nodes of a Nakajima tree 
(of a closed term), can be coded as a pair (i,r) whereby the head variable y 
is the in the infinite list of variables bound by the A-abstraction situated r 
levels up in the tree. The map VFF(s) is just a function that maps occurrences 
(of nodes) to such labels encoded as pairs of numbers. 

The theorem of key importance in [4] is the Exact Correspondence Thoerem, 
which states that for every closed A-term s, the innocent strategy denoting s (in 
both T> and Prec) given in economical form is exactly VFF(s), the Nakajima 
tree of s in variable free form. 
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Example 2. We now introduce example terms and strategies which we will use 
repeatedly to illustrate many of the concepts in the rest of the paper. Consider 
the terms / = \x.x and 1 = Xxy.xy. The reader may wish to verify that the 
following represents the first two levels of the Nakajima trees of those terms: 

NT(J) = XxzoZi...*x NT(1) = XxyzQZi...*x 




Xu • Zq Xv • Xw • Z2' ■ ■ Xu »y Xv • Zq Xw • Zi - ■ ■ 

After renaming of bound variables, these are the same. Since 1 and 1 differ only 
by ry-conversion, this should be no surprise. Thus we can calculate their common 
variable-free form, the first two levels of which is: 

(2,1) (3,1) (4,1) ••• 

For example, the node labelled (2, 1) means that the head variable of the corre- 
sponding node in the Nakajima tree is found as the second in the list of variables 
abstracted at the node one level above. The Exact Correspondence Theorem 
tells us that [i] = |1] has the economical form which is given (in part) by 
e H- ^ (1,0), (1) H- 1 (2, 1), (2) 1 —^ (3, 1) and so on. 

We say that a A-algebra is universal if every element is the denotation of some 
A-term. By the Exact Correspondence Theorem, it is easy to see that neither T> 
nor Prec is universal, since no non-trivial compact innocent strategy can be the 
denotation of any A-term (note that the only finite Nakajima tree is the single- 
node tree _L). Our aim in the rest of this section is to characterise the definable 
parts of Prec, and we shall do so by capturing the right ambient CCC. 

Notation For tree-like A C N* (i.e. those subsets which are prefix-closed and 
satisfy s-n^A^s-m^A for all rn < n) and for any s € A we define 

A @ s = the subtree of A rooted at s 

A>m _ obtained from A by deleting the first rn branches. 

For example, for the maximal single-tree arena U , we have U @ s = U = 
for all sequences s and numbers n. Next fix an innocent strategy in economical 
form / and let v € dom(/). We shall use the following shorthand: 

nio‘^ (v) = the last move of the P-view encoded by v 
nipl (v) = the response of af at the P-view. 

Note that the former is by definition an 0-move and the latter a P-move. We omit 
the superscript / wherever it is clear which strategy is intended. For example, 
for any innocent strategy / the 0-move mo(e) is the initial move e and mp(e) 
is the first P-move made by af in response. Now we can define a new property 
of strategies: 
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Definition 2. Consider an innocent strategy in economical form / : N* — i N x 
No, over some single-tree arena A. We say tha,t f is everywhere copycat (EC) 
at V £W if f is undefined at v or the following hold: 

(i) The arenas A @m.o{v) and N@mp(u) are order- isomorphic (with respect 
to the prefix ordering). 

(a) Whenever w > v we have that for a// i € N f[w ■ i) = (i, 1). 

(Hi) If f{v) = {i/p) then p > 0. 

We say that f is almost-everywhere copycat (AC) at v if f is undefined at 
V or there exist numbers C ^ Nq and G Z with < C called the copycat 
threshold and offset respectively, such that 

(i) The arenas (ff @ and (ff @ nip(t;))>*” are isomorphic. 

(a) For all i > f{v ■ i) = [i — o„, 1) and f is everywhere copycat at v ■ i. 
(Hi) For all w > [v-k) with k <F, if f{w) = (i, |w| — |v| ) then i <t„ — o„. 
(iv) If f{v) = (i,0) then i <t„ — 

(Note that f is EC at v if and only if f is AC at v with t„ = o,j = Q.) 
Finally, we say that f ineffectively almost-everywhere copycat (FAC) if f is 
computable, almost-everywhere copycat at every sequence on which it is defined 
and the functions v t„ and v o„ are computable. A strategy o over an arena 
A is FAC if its innocent function is FAC, and we can generalise to multiple-tree 
arenas in the usual way. 

To illustrate the definition of everywhere copycat strategies, suppose / is de- 
fined at V. Intuitively we say that / is everywhere copycat at v if, from nip(u) 
onwards, /’s behaviour is simply to play copycat for as long as the arena will 
allow it. So if O’s move is mi, the child of the justifying move m, then P 
responds with the child of the move immediately preceding m in the P-view. 
Condition (i) in the definition guarantees that P’s copycat move will always be 
available. As before we will primarily be interested in strategies on U . Since 
U @ s = U = for all sequences s and numbers n, Condition (i) will always 
hold. Condition (ii) is best understood with reference to the Exact Correspon- 
dence Theorem which relates innocent strategies to Nakajima trees. It specifies 
that the subtree of the Nakajima tree corresponding to /, rooted at v, has the 
following shape: 

XxiX 2 . . . *y 



NT(xi) NT(x2) ••• 

Condition (hi) of the definition is a technicality, which ensures that the variable 
y is not one of the 

Definition 3. The category of arenas and EAC strategies, AeaC; has recursive 
arenas as objects and EAC strategies on A ^ B as morphisms from A to B. 

A main result in [4] is that the category Aeac is well-defined; the proof that 
EAC strategies compose is highly technical. In fact. 

Theorem 2. Aeac A cartesian closed. 
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The arena U is still an object of Aeac and still equal to its function space. 
Thus we can define a Ary-algebra (Aeac , A, id^/ , id^/ ) which we shall denote by 
T’eac- Properties of Peac will be presented later. 

4 Effectively and Explicitly Almost-Everywhere Copycat 
Strategies 

We wish to find a new game model which invalidates the rule of ry-conversion. 
To do so, we would require the terms I and 1 to be denoted differently. They 
have the same variable-free form of Nakajima tree, so it is not apparent how this 
might be achieved. The key is to make use of the fact that the copycat thresholds 
are not unique — any number greater than a given valid copycat threshold is 
also a valid copycat threshold. Different thresholds (at some P-view) may be 
used to distinguish I and 1. 

This idea is prompted by the observation that when one compares a term 
with its denotation, the part of the EAC strategy which is specified by the rules 
of copycat corresponds precisely to the part of the Nakajima tree which has been 
generated by ry-expansion (i.e. the part of the tree with the fresh variables as the 
head variables). Recall the Nakajima trees of I and 1 — the former has fresh 
variables appearing at every node except the root, whereas the latter is similar 
except that there is not a fresh variable at the first child of the root. Therefore 
we aim to find a model where I and 1 are represented by the strategy with the 
same moves, but the copycat threshold of Ifil at the first P-view is 0, whereas 
that of |f] is 1. 

However, the definition of an EAC strategy is stated in terms of the existence 
of some computable function which associates a pair of numbers to each P-view 
of the strategy and this function is not specified along with the strategy. (A 
consequence of this is that there is no computable procedure for finding valid 
thresholds for an EAC strategy.) It is really the thresholds (rather than the 
offsets) that are important because, for a certain P-view v of an EAC strategy 
a, the copycat threshold t gives enough information to compute the offset o 
directly. This motivates the following definition: 

Definition 4. An effectively and explicitly almost-everywhere copycat strategy 
(EXAC strategy) is given hy a pair {a,ta), where a is an EAC strategy and t^ 
is an effective function mapping the P-views where a is defined to valid copycat 
thresholds. We sometimes write the EXAC strategy {opa) just as a. 

We will usually refer to the first and second part of an EXAC strategy as 
the “(underlying) EAC strategy (part)” and the “threshold function (part)”, 
respectively. In view of our comments above, however, we will sometimes speak 
of the offsets as if they too are specified by the threshold function. 

This definition allows us to make the intended finer distinction between stra- 
tegies: two strategies with the same moves must be equal as EAC strategies, 
but may have different copycat thresholds and so can be distinguished as EXAC 
strategies. There is an obvious forgetful map from EXAC strategies to EAC 
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strategies, which takes only the strategy part (i.e. erasing the threshold infor- 
mation). 

In a similar vein to the economical form of innocent strategies, using the 
same encoding of a P-view as a sequence of natural numbers, we can give an 
economical form of EXAC strategies over single-tree arenas. We can also take 
advantage of the fact that parts of the strategy are completely dictated by its 
copycat nature. Let us say that a P-view is entirely explicit if none of the O- 
moves in it exceed the copycat threshold of the P-view at which they are made. 
Thus if a P-view is not entirely explicit the ensuing move can be deduced from 
the threshold and offset of the P-view preceding the first 0-move in it which did 
exceed the copycat threshold. 

Definition 5. The economical form of an EXAC strategy is a map from N* to 
N X No X No X Z. The domain is the encoding of P-views in the usual way. The 
map is defined at a sequence v only if the P-view encoded hy v is entirely explicit, 
in which case 

V I— 1 (i, r, t, o) 

where the resulting P-move is encoded as before — it is the child of the move 
2r from last of the P-view — and the copycat threshold and offset at this P-view 
are t and o respectively. 

Example 3. We take the EXAC strategies 7]q and rp to be (|i]|,to) and (|l]|,ti), 
where to maps every P-view to the threshold 0 and t\ does likewise except that 
the minimal P-view is mapped to the threshold 1. Since [/] = |1], they have 
the same EAC strategy part, but different threshold functions. These are the 
suggestions we made for the denotations of 1 and 1 in a model not suppor- 
ting ?/-conversion. Nearly every P-view of either is not entirely explicit, and the 
respective economical forms are given by: 

e H- ^ (1,0, 0, — 1) and e i— t (1, 0, 1, — 1) 

(1) ^(2, 1,0,0) 

We now need a method to compose EXAC strategies. Of course the EAC 
strategy part will just be the standard composition of innocent strategies, and 
we give below an algorithm for computing the composition of the threshold 
functions. 

Algorithm (The Composition Algorithm). Let {opa) be an EXAC stra- 
tegy over A ^ B, and (r, p) be an EXAC strategy over B ^ C. Take a P-view 
V on which the strategy c; r (which is given by the usual composition of innocent 
strategies) is defined and suppose that the last move of the P-view is rn and the 
resulting move is m. 

We write u = u(v, o, r) for the uncovering of the composition up to the move 
m. A formal definition can be found in [3] or [4], but we may describe it as the 
sequence of moves of the composition which result after the P-view v, including 
any relevant il-moves which would be hidden by the composition. It will be of 
the form (e, . . . , TO 2 , • • • , Wp-i, nip,m). 
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The moves are the intermediate interactions which might have taken place 
between a and r before the move m became the visible outcome, and are all in 
the arena B. Possibly there are no such intermediate moves, in which case p = 0. 
We do not care about justification pointers, and for tidiness set mo = m and 

nip^i = m. 

For l<i<p+fwe consider the P-view Ui that the strategies ci or r are 
faced with when the move rni was made. (For details on how one may define such 
a P-view precisely see [4] or [5]). Define tj and Oj to be the copycat threshold 
and offset of a, or r as appropriate, at the P-view Ui. These are specified by to- 
or tr- Then set: 

+ 1^1 ) if nii is a root of the arena B 
tj, otherwise 

o( = Oi + |A| , if rni is a root of the arena B 
Oi, otherwise 

f ^ -fp+i 

o = Op+i — |kl.| + \B\ , if m is a root of the arena G 
otherwise 

(By |A| we mean the number of trees in the arena A). Then t and o are the 
copycat threshold and offset of the composition (cfBu)] {tBt) nt the P-view v. 

Now we must show that this method does indeed produce an EXAC strategy, 
i.e. that the composite threshold function specifies valid thresholds and offsets 
for the composite strategy. In fact it does so only under some restrictions, for 
which we need an additional definition. 

Definition 6. Let a he an EAC strategy over a single-tree arena. If a has a 
first move, then it has a copycat threshold and offset, say t and o, at the P-view 
consisting only of the root 0-move (we call this P-view the minimal P-view). 
The 1-number of a is the value t — o, and we write it l(o). 

Ifo = {cTi , . . . , (jffj is an EAC strategy over an arena with n trees, and defined 
on at least one of the minimal P-views, then we say 1(cj) = tTiUV {1(^0}- 

This is termed the 1-number of a because, as will eventually be shown, it 
corresponds to the number of A-abstractions at the root of the Bdhm tree of 
the term whose denotation is a. For example l(?/o) = 1 and l(?/i) = 2, and we 
will be able to show that 7]q is the denotation of Xx.x and pi the denotation of 
Xxy.xy. 

Theorem 3. If a : A ^ B and r : B ^ C are EAC strategies satisfying 
iH> 1^1 r or o is everywhere undefined) and l(r) > |ii| (or t is everywhere 
undefined) then Algorithm f produces valid copy cad thresholds and offsets for 
a;r. 

There is an “obvious” category, which derives directly from the conditions 
required for the composition algorithm to work correctly. 



Ti = t[ 

Oi = o[ 

Ti+i = max{Ti + o(+i,t(+i) 
Oi+i — Oi A 
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Definition 7. The category of arenas and EXAC strategies, written Aexac? 
has recursive arenas as objects, and the morphisms from A to B are the EXAC 
strategies on the arena A ^ B which have l-number greater tha,n or equal to 1^1. 
or are everywhere undefined. The identity morphism on A is the EXAC strategy 
{idA,0), i.e. the copycat threshold is zero everywhere. 

One can show that this does indeed specify a category. Also, Aexac has the 
obvious terminal object — the empty arena E — and products given in the 
usual way. However, Aexac does not form a CCC with the usual constructions, 
as the following example shows: 

Example f. Suppose that a : Ax B ^ C. Then we know that 1 (c) > \A\+\B\. 
We need a morphism A[a) : A ^ B ^ C, which must have l-number at least 
|A| , so we could take A[cr) to be the same EXAC strategy as a. However this 
choice may not be unique. Eor example, consider rjQ and rji as defined earlier in 
this section. One can verify that both and rj\ can be considered as morphisms 
U ^ U ^ U and that in this case rjo x id[/; eval( 7,(7 = x id[/; eval( 7,(7 :U xU ^ 
U , and that this is the same as the morphism U x U ^ U described by rp. Hence 
there are two candidates for A[rji). 

It is not clear that Aexac forms a CCC with any unusual function space 
constructions either. 

If we try to fix the definition of Aexac, by cutting down the homsets some 
more, it becomes clear that one must also specify minimum copycat thresholds 
at the minimal P-views, along with minimum 1-numbers. The obvious solution 
still does not work, and we can repeat the fixing-up process to obtain a sequence 
of failures — each is either not a category at all because identities fail to work 
properly, or has a non-uniqueness of curried morphisms as above. 

We now present a new category based on EXAC strategies, which does form 
a CCC. Although it does appear to be much more complicated than the “almost- 
CCC” Aexac, it seems to be the natural limit of the fixing-up process. 

Eirstly let us write br(A) for the number of branches of a tree at the root 
(assuming that this is finite). Then we can write br(A@ m), for any move rn of 
a finitely-branching forest A, to mean the number of direct children of m in A. 
Then we make the following definition: 

Definition 8. Let A be an arena and X a finitely-branching subarena^ of A. 
We say tha,t an EXAC strategy a over A is X-explicit if the following holds: 
Let a : V eA [i,r,t,o) be the economical form of any clause of the innocent 
function. Suppose that the sequence v codes a P-view ending in the 0-move m, 
and tha,t the consequent P-move encoded by this clause is rn. Then: 

(i) if m is in the subarena X then t—o> br[X @ m) , 

(a) if rn is in the subarena X then t> br[X @ m) . 

® We say that the arena A — {Ai, • • • , Am) is a subarena oi B — (Hi, • • • , H„) if to = n, 
and for each i, Ai is a subset of Bi. We say that an arena is finitely-branching if 
every tree in it is finiteiy-branching 
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An intuitive description of this definition is the following: The subarena X 
determines a part of the arena A where the strategy is known to be explicitly 
defined, i.e. moves in X are neither in the “domain” nor the “range” of auto- 
matic copycat forced by the threshold information of a. This means that given 
a strategy o over A which is A -explicit, any P-view of a with moves only in X 
is entirely explicit. 

Definition 9. The category XAexaC; or simply XA, is given hy the following: 
objects are pairs (A, A) consisting of a recursive arena A and a finitely-branching 
recursive subarena X ; a morphism a : (A, A) — t (B, Y) is an EXAC strategy on 
A^ B which is (A =y Y)-explicit. Composition of morphisms is composition of 
EXAC strategies, and the identity strategy on (A, A), id(^A,x)j A the EXAC stra- 
tegy {idA,t), where id^ is the EAC identity strategy on A, and t is the function 
tha,t takes the least value on every P-view which still leaves the EXAC strategy 
{idA,t) as (A ^ X)- explicit. 

The fact that the composition algorithm gives valid thresholds and offsets 
for EXAC strategies satisfying these conditions comes from Theorem 3 — a 
morphism a : (A, A) — ^ [B,Y) is (A =y T)-explicit, and A has the same 
number of trees as A, so in particular 1 (cj) > |A|. 

Theorem 4. XA forms a CCC with the following constructions: the terminal 
object 1 is [E, E), where E is the empty arena; the product (A, A) x {B, Y) is [Ax 
B,X xY), with the threshold functions for projections specified in the same style 
as identities; the exponential object (A, A) =y [B,Y) is [A ^ B,X ^ Y), and 
the evaluation map evaf g Y),{c,z) A the same EXAC strategy as id;B,Y)A-{c,z)- 

Now that we have found an ambient CCC for the EXAC strategies, we can 
construct another A-algebra based on it. In this category, however, the reflexive 
object is not isomorphic to its function space — exactly as we would hope for a 
model invalidating ry-conversion. 

Let us write (7° for the object [U,M) of XA, and for the object (7° =► (7°. 
Here U and M are the maximal and minimal single-tree arenas described in 
Sect. 2. We define morphisms E : ^ and G* : (7^ — t (7° to both be given 

by the EXAC strategy rfi (the definition of which can be found in Sect. 4). It 
is straightforward to check that this does give proper morphisms, and that they 
satisfy G; E = id( 7 i and E;G id^o. 

Hence we can identify a new A-algebra fKA, , F,G) which invalidates the 
rule of ry-conversion; we denote this A-algebra Ai- By erasing all threshold in- 
formation, we can reduce Td to (a subset of) T> and deduce that Xi is also 
sensible. 

In the same way that the denotation of a term in the model T>eac had a strong 
connection with its Nakajima tree, the denotation in A4 corresponds closely to 
(a variable- free version of) the Bdhm tree. The variable- free form of the Bdhm 
tree of a term is similar to the construction VEE mentioned earlier and defined 
in [4], but it includes extra information describing how many abstractions there 
are at each node, and how many children. 
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Definition 10. For a (N x Nq X Nq X Zi)-lahelled tree p the tree p* is the same 
tree labelled identically, except tha,t nodes at depth d labelled l,t, o) are 

relabelled (i, d 2,t,o). 

Similarly the tree {p}”, for n € Nq, is labelled identically except that firstly 
the node at the root [i,r,t,o) is first relabelled to [i,r,t,o — n), and then nodes 
of depth d are relabelled as follows: 

(i) those labelled [i,d,t,o) are relabelled (i + n, d, t, o); 

(a) those labelled 1, t, o) for i < n are relabelled (n — i + l,d,t,o); 

(in) those labelled 1, t, o) for i > n are relabelled (i — n, d + 1, t, o). 

For a term s with free variables within A the variable-free form of the Bohm 
tree of s, VFBT,^[s), is the following (N x No X No X Ifj-la, belled, tree: 

VFB'lA[s) = _L, the empty tree, for unsolvable s. 

VFBTa{Xxi . . .Xn* s) = { VFBTa,(xi,...,x„){s) }"■, 

if s is of the form VjS\ . . . Sm- 

VFBTA{vjSi . . .Srrf) = (j, l,m, m) 




VFBTa{siY VFBTa{s^Y 

where A = {vj,, . . . ,Vi) (note the reverse order). 

Exactly as before we can show that, at each node of the Bohm tree of s, the 
first two elements of the tuple at the corresponding node of VFBT(s) encode 
the head variable by counting how many levels one goes up the tree, and how 
many abstractions along, to find where the variable is abstracted. The third 
component just counts the number of children at the node, and the fourth is 
the number of children minus the number of abstractions. We choose to encode 
the number of abstractions in this rather elliptic fashion in order to make the 
following theorem easier to state: 

Theorem 5 (Exact Correspondence for AF). IfseA with free variables in 
A = {vk , . . . ,^ 1 ) then = { VFBTa{s) when the former is considered as 
an EX AC strategy in economical form and the latter as a la, belling function. 

In particular for closed terms s, [s]e = VFBTe[s) 

Example 5. Although it is hard to see directly, the given definition of VFBT 
does work as intended. One may check that VFBT(i) and VFBT(l) are: 

(1,0,0, -1) and (1,0, 1,-1) 

I 

( 2 , 1 , 0 , 0 ) 

The node Xxy.x, in the Bohm tree of 1, corresponds to the node of VFBT(l) 
labelled (1,0, 1,-1), which is so labelled because the head variable is the first 
abstracted variable zero levels up the tree (namely x), the node has one child, 
and the number of abstractions at this level is 1 — ( — 1) = 2. The Exact Corre- 
spondence Theorem gives us the economical forms of [i] and |1] which, as we 
hoped, are the EXAC strategies rjo and rji described earlier in this section. 
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The Exact Correspondence results are of key importance in examining the 
local structure of the game models. In [4] we use them, and a powerful result 
which we call the Separation Lemma, to obtain proofs that Peac is a universal 
and order-extensional \-mode\, with equational theory given hjT-L* (the maximal 
consistent sensible theory). The models T> and Prec are neither universal nor 
extensional, but do generate the same equational theory on terms. 

In a similar way, we can use the Exact Correspondence Theorem for JV[ to 
prove the following: 

Theorem 6. (i) JV[ is universal i.e. every element is definable as the denotation 
of some term of the X-calculus. (ii) A4 is weakly extensional, so it is a X-model 
(for a discussion of weak extensionality see [1, §5/. (Hi) A4 equates two terms 
of the X-calculus precisely when they have the same Bdhm tree. Thus the local 
structure of the model is the Bdhm tree theory B. 

5 Further Work 

Although we succeeded in our aim to find a universal game model of B, there are 
other questions which the work prompts. Eirstly, one might ask if there is a less 
syntactic way to arrive at Peac from PreCj perhaps by some sort of extensional 
collapse. In fact extensional collapse appears to be insufficient, and further inve- 
stigation would be of interest. In another direction, we can use T>, PreCj Peac 
and JV[ as very natural combinatory algebras which are in some sense sequen- 
tial. Therefore one might wish to study realizability models over them. Einally, 
and more practically, we could examine the Bdhm tree composition algorithm 
given by the game model: it is quite different from the usual method in that it is 
“demand-driven” - for every node of the answer only the relevant nodes of the 
composed trees are examined. 
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Abstract. This paper shows that the subtyping relation of a higher- 
order lambda calculus, A<, is anti-symmetric. It exhibits the hrst such 
proof, establishing in the process that the subtyping relation is a partial 
order — reflexive, transitive, and anti-symmetric up to /3-equality. While a 
subtyping relation is reflexive and transitive by dehnition, anti-symmetry 
is a derived property. The result, which may seem obvious to the non- 
expert, is technically challenging, and had been an open problem for 
almost a decade. In this context, typed operational semantics for subty- 
ping offers a powerful new technology to solve the problem: of particular 
importance is our extended rule for the well-formedness of types with 
head variables. The paper also gives a presentation of A< without a re- 
lation for /3-equality, apparently the hrst such, and shows its equivalence 
with the traditional presentation. 



1 Introduction 

Object-oriented programming languages such as Smalltalk, C++, Modula 3, and 
Java have become popular because they encourage and facilitate software reuse 
and abstract design. One attempt to give a theoretical understanding of these 
object-oriented programming languages has been to introduce type systems with 
features to model constructs from object-oriented programming languages [8,10], 
for example bounded quantification [20] and recursive types [2]. 

Metatheoretic properties of the type systems are important to justify the 
programming languages being modeled. One important property of a type sy- 
stem is subject reduction or type preservation, which states that evaluation of 
programs preserves their type. This is one of the central results of an earlier 
paper [15] about which also showed the correctness of the algorithms for 
type-formation and subtyping. Another important property for type systems is 
the decidability of type-checking and subtyping: a compiler should be able to 
process basic type information reliably without help from the programmer in or- 
der to prevent basic programming errors. Decidability of type-checking ensures 
that this will always be possible, and decidability of subtyping is a crucial step 
to proving this. This result was proved for our calculus in [14]. 

* Most of this author’s work was carried out at LFCS, University of Edinburgh, JCMB, 
The King’s Buildings, Edinburgh, EH9 3JZ, UK. 
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The subtyping relation has been extensively researched because of its im- 
portance in applications to programming languages [1,6,21,28], proof assistants 
[3,25,29], and metatheoretical studies [4,5,7,10,14,15,16,18,19,24,30], to name a 
few. However, none of these studies has established the anti-symmetry of the 
subtyping relation for a higher-order calculus. In some cases it has been conjec- 
tured, as in [35]. In other cases, the problem is avoided by taking an equality that 
satisfies anti-symmetry by definition: A = B \s defined as A < B and B < A. 
Steffen [33] has showed the simpler property, appropriate to his setting of polari- 
zed subtyping, that A < B and B < A, where both derivations are without uses 
of promotion} , if and only if A =p B. However, in most higher-order subtyping 
calculi, including ours, the problem in showing anti-symmetry is exactly to show 
that the derivations ol A< B and B < A contain no uses of promotion. 

Anti-symmetry has been demonstrated for F< [20]. For Mitchell’s second 
order A-calculus a la Curry with subtyping, a completely different style of sub- 
typing from the one we consider here, anti-symmetry has been studied under 
the name of equational axiomatization of bicoercibility [34]. There, A and B are 
called bicoercible \i A < B and B < A, and the paper proves that if A and B 
are bicoercible then A = B, for an appropriate equivalence relation =. However, 
the problem of bicoercibility of F< is considerably easier than anti-symmetry of 
higher-order subtyping, because there is no notion of computation on types, and 
in particular no /?-reduction on types. 

The rest of the paper is structured as follows. In the remaining sections of the 
introduction we discuss technical points relating to typed operational semantics 
and anti-symmetry of subtyping. In Section 2 we introduce the basic language 
of Ff. In Section 3 we introduce the typed operational semantics, which as ex- 
plained above plays a central role in our proof of anti-symmetry by providing 
a powerful induction principle. Section 4 outlines the proof of anti-symmetry 
using the typed operational semantics and sketches an approach to implemen- 
ting subtyping and equality simultaneously. In Section 5 we give a sketch of the 
metatheory of a new presentation of Ff without judgemental equality or con- 
version. Finally, we draw conclusions in Section 6. The appendices contain an 
outline of the results that we use from our earlier development of typed opera- 
tional semantics for Ff, rules for the traditional presentation of Ff, and rules 
for the typed operational semantics. 



Typed Operational Semantics Our proof of anti-symmetry of higher-order 
subtyping relies on our understanding of subtyping built up using typed opera- 
tional semantics. Typed operational semantics [22] gives an alternative induction 
principle for type theories, by presenting type theory operationally rather than 
declaratively. The typed operational semantics for Ff has judgements for re- 
duction to weak-head and normal form for types, and for subtyping comparison 
between types in weak-head normal form and arbitrary types. Because the sy- 
stem is presented from the perspective of computation, many properties about 

^ Promotion is a step of transitivity along the bound of the head variable, and consists 
of replacing the head variable by its bound in a given context. 
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the relationship between reduction and typing are particularly easy to show by 
induction on derivations of the typed operational semantics. This topic is dealt 
with extensively in an earlier article [14]. 

A typed approach like typed operational semantics is essential to study- 
ing anti-symmetry. Similar to Church-Rosser for /??7-reduction in type theories, 
which is only true for typed terms, anti-symmetry is only true for well- formed 
judgements. For example, in V <[AX<A'.K.[X X)):K' , Z<Y :K", an invalid con- 
text, we can show that Z Z < Y Z and Y Z < Z Z , but the two types are clearly 
not /3-equal. 

A key property in our proof of anti-symmetry, that T(A)(Ai,... ,A„) < 
X[Ai, . . . ,An) is underivable in the context F (where F{X) denotes the bound 
of X in T), also relies on the well-formedness of the judgement. Intuitively, if 
r{X){Ai, . . . ,An) and X[A\^ . . . ,4l„) are well-formed then they can never be 
/3-equal. While the base case, that F[X) < A is impossible, is straightforward, 
the complication in the general case is that X may appear in some Ai, so it 
is not obvious that T(A)(Ai, . . . may not /3-reduce to A(Ai, . . . ,Am), for 
example. The type system rules out cases like F{X) being AY<A:K.[Y Y) and 
A I being X. 

Essential to our approach is the extended rule st-TApp from our most recent 
papers on decidability of subtyping [14,15]. This rule contains as a premise the 
well-formedness of the bound F{X) applied to a sequence of types, in order to 
conclude the well-formedness of the variable X applied to that sequence of terms. 
This rule is justified by an extension of the logical relation proof of Soundness 
(Theorem 3) using saturated sets. It is the powerful induction principle arising 
out of this rule, already crucial to our proof of decidability, that allows us to 
show the underivability of F{X){Ai, . . . ,Am) < X[Ai^ . . . ,Ajn). 

Induced Equivalence Relations The equivalence relation induced hy A < B 
and B < A may be stronger than the usual intensional equality associated with 
type theory, syntactic equivalence on normal forms. One such case occurs in [32], 
where the types V(A <: Bot)X^X and V(A <: Bot)Bot^Bot are “equivalent 
in the subtype relation^, even though they are not syntactically identical.” A 
similar situation appears in intersection types disciplines, where T = A— and 
also A— < T and T < A— ^T. A final example is extensible records [11], where 
the extension operator is associative and commutative in the subtyping relation. 
These equivalence relations have models in existing frameworks, for example 
game semantics [13] or PER models [17]. 

Such equivalences also arise in the context of programming languages. Eor 
example, consider object types with a private section and a public interface, 
where two object types Oi and O 2 may satisfy Oi < O 2 and O 2 < C>i but 
differ in their private section. The equivalence relation that only considers the 
public interface will be more useful to the programmer than intensional equality, 
because it is more permissive. 

A and B are equivalent in the subtyping relation if A < if and B < A. 



2 
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In our current work on the equivalence relation is the usual notion of 
/9-equality at the type level. However, Martin-L6f [26] has demonstrated how 
to capture more sophisticated equivalence relations in intensional type theory. 
He allows the equality on elements of a type to include an arbitrary decidable 
equivalence relation on the normal forms of a type, rather than taking simple 
syntactic equivalence of normal forms. To extend our work to the example above 
of public and private sections of an object type, we can take an equivalence 
on object types in normal form that simply compares the fields of the public 
interfaces. 



Metatheoretic Consequences of Anti-Symmetry In addition to providing 
the answer to a long-standing open problem, our work has several consequences 
in the development of the metatheory of type systems with subtyping. First, 
in the presence of anti-symmetry for subtyping, we can show the equivalence 
between traditional presentations, either with judgemental equality or untyped 
/9-conversion, and a system without the notion of equality. This means that the 
proof of soundness for model constructions, such as that for proofs of strong nor- 
malization or PER models, can be more concise. In Section 5 we give a sketch 
of a new presentation of JF" without judgemental equality or conversion, appa- 
rently not found elsewhere in the literature, and discuss how the development of 
the metatheory proceeds for this system. The lack of a notion of equality may 
also have consequences for the implementation of type theories with subtyping. 

Another consequence of this result is that we can now prove the Minimum 
Types Property, as opposed to the Minimal Types Property normally proved. A 
type inference algorithm can be shown to find one of many minimal types for 
a term. We can now clearly state the relationship between all of these minimal 
types: whereas before we knew that any two minimal types were subtypes of 
each other, we now know that they are /9-equal. 

2 Syntax 

We now introduce the basic language of JF". A complete development of its 
meta-theory can be found in [15]. 

The kinds of JF“ are the kind ★ of proper types and the kinds IIX<A:Ki.K 2 
of functions on types, or type operators. The types of JF" are a straightfor- 
ward higher-order extension of F<, where we allow bounds on the abstraction 
AX<A\Ki.B. There is a top type T*, and we define top type operators at 
every kind K by Tnx<Ai-.Ki.K 2 = AX<Ai:KiA'k^. The language of terms is 
the same as that for F<, with bounded type abstraction AX<A:K.M . As in F<, 
each type variable is given an upper bound at the point where it is introduced. 

The operational semantics of iF“ is given by the usual /9-reduction rules on 
terms and types, and is extended to a compatible relation with respect to term 
or type formation. We write for the transitive and reflexive closure of — 
and =j 3 for the least equivalence relation containing -Ajs and closed under a- 
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equivalence. We write to indicate the /?-normal form of A, and A = B when 
A and B are a-equivalent. 

Weak head reduction, or leftmost outermost reduction, is a less familiar no- 
tion from lambda calculus that appears in our presentation. 

For technical reasons relating to the model construction, we need to consider 
a slightly stronger notion of weak-head normal form. 

Definition 1 (Weak-Head Normal). The types Ai^A 2 , \/X<A:K.B , 
and AX<A:K.B are weak-head normal. A(Ai, . . . ,Am) is weak-head normal if 
Ai, . . . , Am are in normal form. 

Contexts are defined as usual, where the empty context is written 0, term 
variable bindings have the form x:A, and type variable bindings have the form 
X<A:K. We write dom(F) for the set of term and type variables defined in 
a context T. The sets of free term and type variables occurring in terms, ty- 
pes, kinds, contexts or judgements are written FV( — ) and FTV( — ). Since we 
are careful to ensure that no variable is bound more than once, we sometimes 
consider contexts as finite functions: T{X) yields the bound of X in T, where 
X € dom(T) is implicitly asserted. 

We write A(i?i, . . . , Bn) for ((Ai?i) . . . Bn) - If A is of the form W(i?i, . . . , Bn) 
then A has head variable X . We write HV( — ) for the partial function returning 
the head variable of a term. We write B[X-^A] for the capture-avoiding substi- 
tution of A for X in B. We identify types that differ only in the names of bound 
variables. 

The system Xf is presented as simultaneously defined inductive relations 
with the following judgement forms: 



C h ok well-formed context 

T h AT =/3 K' kind equality 
r \- A =13 B : K type equality 
r \- M : A well-typed term. 



r \- K well-formed kind 

r \- A : K well-kinded type 
r \- A < B : K subtype 



We sometimes use the metavariable J to range over statements (right-hand sides 
of judgements) of any of these judgement forms. 

We now give an overview of the rules of inference for Xf. The context forma- 
tion rules are as usual in Ff. . Kind formation differs by incorporating information 
about the bounds in U: 

r, X<A:Ki 'r K 2 
rh nX<A:Ki.K2 

The rules of inference for kind equality simply define a typed equivalence relation 
compatible with respect to the kind formers. 

The rules for type formation similarly need to be adjusted for bounded ope- 
rator abstraction. 



r, X<Ai:Ki h Aa : Aa 
r h AX<Ai:Ki.A2 : nX<Ai:Ki.K2 



(T-TAbs) 



rh A: nX<B:Ki.K2 B h C<B : Ki 
r\-AC: K2[X3-C] 



(T-TApp) 
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r\-A:K r\- K =13 K' 

TTaTY' 



(T-Conv) 



Type equality is defined as the typed equivalence relation compatible with 
respect to the type formers and closed under /^-reduction for types. 



r, X<Ai:Kih A2 : K2 F \- C < Ai : Ki 
rh{AX<Ai-.Ki.A2)C=^ A2[X3-C] : Aa[A^q (t-Eq-Beta) 

The type equality rules appear in Appendix B. 

The subtyping rules are again those of [9,10,27], except for those dealing 
with bounded type abstraction and type application and the rule for subtyping 
the quantifier. We chose Cardelli and Wegner’s kernel Fun rule for quantifiers 
with equal bounds [12], because the contravariant rule for quantifiers renders the 
system undecidable [31]. Furthermore, transitivity elimination in the presence of 
such a rule in the higher-order case remains an open problem. Type equality is 
included in subtyping. 



r^A=pB:K 



(S-CONv) 



The subtyping rules also appear in Appendix B. Our goal is to prove that this 
relation is anti-symmetric up to /^-equality. 

The term formation rules are standard. We remind the reader that the sub- 
typing relation on ★ induces an inclusion over types. 



r\-M :A rhA<B:* 
rhM : B 



(t-Sub) 



3 The Typed Operational Semantics 

The typed operational semantics for is organized in five judgement forms: 

r hs ok valid context F \~s A B w^n C : K type reduction 

F \~s K K' kind reduction F \~s A < B : K subtyping 

F \~s A <w B : K weak-head subtyping. 

This system can be understood informally as a particularly informative algorithm 
for binding and subtyping in The first judgement simply represents well- 
formed contexts. The second and third judgements represent normalization of 
kinds and types, where the formulation of the rules of inference ensures strong 
normalization, Church-Rosser and other good metatheoretic properties. The last 
two judgements represent an algorithm for subtyping that first reduces the left 
and right-hand sides to weak-head normal forms and then compares these. 

We use various notations that omit unnecessary components of the judge- 
ment. For example, we write F \~s K for F \~s K K' for some K' , and 
similarly for types, F \~s A B : K for F \~s A B C' : K for 

some C, and F \~s A w^n ^ ■ -R for F \~s A A ^ '■ -R- We also write 
F \~s K, K' K" when F \~s K K" and F \~s K' K", and similarly 
for types. 
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We now present the rules of inference. The context formation and kind nor- 
malization rules are modifications of the corresponding rules for The rules 
for type reduction combine kinding information and computational behavior in 
the form of weak-head and /?-normal forms. For example, the rule for arrow ty- 
pes says how to obtain the weak-head and /?-normal forms of Ai^A 2 in * from 
those for Ai and A 2 in ★. 

Kind reduction depends on reduction on types. This is not the case in Car- 
delli’s or in where kinds are syntactically simpler. 

F'^s A^^B: K[ T, A<A : Ai A2 
r hs nX<A:Ki.K2 nX<B:K[.K'2 [SK-n) 

The rules for type reduction are in Appendix C. 

The beta rule, besides uncovering the outermost redex of the application B C 
and contracting it, finds the weak-head normal form E and the normal form F. 
The premise T \~s K2[X<^C] K ensures that E and E have /?-equal kinds, 
and the subtyping premise F \~s C < A : K\ enforces the well-formation of 
BC. 



r^s B AX<A:Ki.D : nX<A':K[.K2 F K2[X^C\ A 
F hs D[X^C\ A w^n F ■. K F^s C <A \ K[ 

F \~s B C E w^ii F : K 



(ST-Beta) 



The weak-head subtyping rules are motivated by the algorithmic rules in [16]. 
The rules sws-Arrow, sws-All, and sws-TAbs are structural. The rule sws-TApp 
implicitly uses transitivity, reducing the problem of a variable being less than 
another type to the problem of the bound of the variable being less than that 
type. The side condition ensures determinism. The rules for weak-head subtyping 
are in Appendix C. 

Finally, full subtyping is defined by reference to the weak-head subtyping 
relation. 



F'rs A^^ C ■. K rhsA^wA:A F'rs C <w D : K 
F^s A<B ■. K 



(SS-iNc) 



We have developed extensive results for this system in [15]. Those relevant 
to our development here, including the equivalence of the original system and 
the typed operational semantics, are summarized in Appendix A. 



4 Anti-Symmetry 

Our goal is to prove that F \~ A < B : K and F \~ B < A : K then 
F^ A=p B : K. 

We obtain this (Proposition 7) as a consequence of the corresponding pro- 
perty in the typed operational semantics using Soundness (Theorem 3) and Com- 
pleteness (Proposition 2).® In the semantics, the way to say that two types are 
equal is that they have the same normal form. 

® Our choice of terminology for Soundness and Completeness comes from proofs of 
strong normalization using saturated sets, where the Soundness theorem says that 
everything derivable in the syntax is satisfied in the saturated sets model. 
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The main difficulty appears when A is of the form X[Ai, . . . , Intuiti- 
vely, in this case B can only be A(Ai, . . . ,Am). To discard the possibility that 
B could be other than A, we need to prove that T \~s T(X)(Ai,. . . < 

X[Ai, . . . ,Ajn) : K is impossible. 

4.1 Basic Properties 

In this section we establish some preliminary lemmas. 

The typed operational semantics is deterministic (Lemma 13), so there is 
only one derivation for each judgement, and we can invert the rules deriving 
premises from conclusions. We sometimes use this fact without mentioning it. 

Lemma 1. Suppose F \~s A ^ ■ nX<E:Ki.K 2 , F \~s C < E : Ki and 
F \~s K 2 [X<^C] JA. 2 - Then there is an E such that F \~s AC B : K 2 

and F \~s BC F : K 2 . 

Proof. By Completeness, equational reasoning and Soundness. □ 

As shown in [15], if T hs B w^n C : K then B is the weak-head 

normal form of A and C the normal form of A. Therefore, the following structural 
property of the typed operational semantics can be read as follows: if B is the 
weak-head normal form of A, then B is its own weak-head normal form, and if 
C is the normal form of A, then C has itself as weak-head and normal forms. 

Lemma 2. 

1. If F \~s A B w^n C : K then F \~s B B w^n C : K and 
F \~ s C C w^n C : K . 

2. IfFSsK K' then F Sg K' K'. 

Proof. By simultaneous induction on derivations, where most cases are imme- 
diate or follow by the induction hypothesis. The interesting case, st-TApp, follows 
by the induction hypothesis and Subtyping Conversion. 



Lemma 3 (Upper Bound). 

F If F^s X{Ai, ...,A^):K then F hs F{X){Ai, ...,A„,):K. 

2. If F hs A(Ai,...,A™) < B : K and B ^ X{Ai,...,A^) then F Sg 
F{X){Au...,A^)<B : K. 

3. If F hs X{Ai, . . . ,Am) <w F : K and B ^ X{A\, . . . ,Am) then F \~g 
F{X){Ai,...,A^)<B:K. 

Proof. Case 1 follows by Soundness and Completeness from Lemma 16, because 
F \-g K F. Cases 2 and 3 follow by simultaneous induction on derivations. 

□ 
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4.2 An Impossible Judgement 

In this section we show that F hs F{X){Ai . . . Am) < X(Ai . . . Am) : /T is an 
underivable judgement. 

The particular property that drives our proof of this result is that the ty- 
ping rule st-TApp in the typed operational semantics, for variables applied to a 
sequence of types, has a subderivation stating the well-formedness of the type 
resulting from the replacement of the variable with its bound. This rule of in- 
ference is justified by our earlier proofs of Soundness and Completeness of the 
usual rules of inference for the typed operational semantics, published elsewhere 
[15]. 

The development of the full metatheory of typed operational semantics is 
quite complex, and in particular the proof of Soundness is similar to proofs 
of strong normalization and relies on logical relations. However, once we have 
established the equivalence of the original presentation and the typed operational 
semantics, we can define a measure, from derivations to natural numbers, that 
counts the number of uses of promotion (replacing a variable by its bound in the 
operational semantics) before reaching Top. Clearly, the number of uses of the 
rule sws-TApp in a derivation of T \~s X[A\^ . . . , A„) < F : K must be greater 
than the number of uses in a derivation of F hg F[X)[Ai, . . . ,A„) < T : A, 
because the latter is a subderivation of the former. On the other hand, we can 
also show that F \~s A < B : K then the number of uses of the rule sws-TApp 
inThsH<T:Ais greater than or equal to the number 'm F \~ s B <T : K . 
Hence, if we have a derivation of F \~s F[X)[Ai, . . . ,A„) < A(Ai, . . . ,A„) : K 
then we can derive a contradiction. 

We introduce a function from derivations in the typed operational semantics 
to numbers, informally capturing the number of uses of the rule of inference that 
a variable is less than its bound. We do not have a good notation for defining 
a function on derivations because such definitions do not occur commonly in 
the literature. We therefore abbreviate in the following definition F[X) for the 
subderivation of the bound of A in T for the case st-TVar; F[X)’^^[Ai , . . . , Am) 
for the subderivation of the normal form of the bound applied to the arguments 
of X for the case st-TApp; and (3 for a derivation oi B G using st-Beta and reduct 
for the subderivation of the /?-reduct of B G . 

Definition 2. We define tt(^); from derivations of F \~s A B w^n C* : K 
to numbers, by induction on derivations: 

ST-Top tt(T*) = 0 ST-TAPP tt(A (Ai, ...,Am)) = 

ST-ARROW #(Ai^A 2) = 0 tt(r(A)"f(Ai, . . . , Am)) + 1 

st-All #(VA<Ai:A.A2) = 0 st-TVar #(A) = frF{X)) + 1 
ST- tabs frAX<Ai:K.A 2 ) = 0 st-Beta |(/?) = frreduct) 

Notice that if T hs A < i? : A then F \~s A : K and F \~s B : K hj 
Lemma 17, so frA) and frB) are defined. 

We now show that this length function is invariant with respect to well- 
formed types or type-operators that have the same normal form. This lemma 
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justifies our later informality in writing types or type-operators in place of their 
derivations of well-formedness. 

Lemma 4. If T> is a derivation of F \~s A C w^n E : K and T>' is a 
derivation of F \~s B D E : K then 

Proof. By induction on derivations T>. 

In each case where is a type constructor or a variable, we perform a ne- 
sted induction on T>' , and there are two interesting cases. The first is when the 
nested case is the same rule as for the outermost induction. In this case the 
lengths are equal by assumption for rules st-Top, st-Arrow, st-All and st-TAbs. 
For st-TVar and st-TApp, we know F(X) is a function, so the result follows by De- 
terminacy and the induction hypothesis. In the case st-TApp we have that F hs 
A!\ A!^ A. {Ai , . . . , Arm E) w^n A {A \, . . . , Am, E) : K and F \~ s Bi B 2 ~^w 
X{Ai, . . . ,Am., F) w^n A{A \, . . . , Am, F) : K. Then T> and T>' have the same 
subderivation F hs DI^Ai, . . . , Am, E) : K. Hence, by the definition of 
i{V) = i{E{Ai,...,Am)) + l = i{V'). 

The second interesting case in the nested inductions is st-Beta, where the 
result follows by the induction hypothesis. All of the other nested cases contradict 
the assumption that the normal forms are the same. 

The final outermost case, st-Beta, follows by the induction hypothesis. □ 

Then, if T hg A {Ai , . . . , Am) ■ E we have 

tt(A(Ai, . . ,,Am)) = . . ,,Am)) + 1 

= tt(r(A)(Hi, . . .,Am)) + 1 > #(r(A)(Hi, . . .,Am)), 

where by Lemma 1 there is a H such that F \~s T(A)"^(Ai, . . . ,Am) B : K 
and F \~s T(A)(Ai, . . . ,Am) B : K, and by Lemma 4 they have the same 
length. 

Now, we come to the main lemma about '),{A): 

Lemma 5. 

1. IfF'rsA<B:K then jt(A) > ^{B). 

2. If F hs A <w B : K then tt(H) > )l{B). 

Proof. By simultaneous induction on derivations. In Case 1, the only possible 
rule for F \~s A < B : K is ss-Inc, which follows by Determinacy, Lemma 4, and 
the induction hypothesis. In Case 2 the only interesting case is sws-TApp, where 
by the induction hypothesis jt(L) > t[A), so 

tt(A((Ai, . . . , AJ) = tt(r(A)"f(Ai, . . . , AJ) + 1 = tt(L’) + 1 > #(L’) > #(A), 
where we know that ^[F[X)’^^[Ai, . . . ,Am)) = ^{E) by Determinacy. □ 



Lemma 6. There can be no derivation of the judgement 
F hs r(X)(Ai, ...,Am)< X(Ai, ...,Am):K. 
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Proof. Suppose that there were a derivation of P \~s r'(A)(Ai, . . . , < 

X{Ai, . . . ,Ajn) '■ K- By Lemma 5 we have 

(t(r(X)(Ai, . . . ,Am)) > \^{X[Ai, . . . ,Am)), contradicting the fact that 

. . ,,AJ) > tt(r(A)(Ai, . . ,,AJ). □ 

Based on our understanding of the behavior of bounds in Lemma 3, the 
negative result Lemma 6 seems intuitive and believable. However, the results in 
Lemma 3 have been known for systems of higher-order subtyping, while Lemma 6 
has remained a conjecture, so this was the major challenge of our development. 

4.3 Main Result 

We can now prove our main result. Observe that in the case sws-TApp we use our 
key lemma (Lemma 6). 

Lemma 7 (Anti-Symmetry of TOS). 

1. If r \~s A < B : K and P \~ s B P A : K then P \~s A, B O : K , 

2. If P \~s A <w B : K and P \~s B <w A : K then P \-g A, B C : K . 

Proof. The argument is by simultaneous induction on derivations. 

1. The only rule to derive both assumptions is ss-Inc. By Determinacy, the 

premises are P \~s A C E : K, P \~s B D F : K, 

P \-s C <w B : K, and P \-s B <w C ■ X. By Lemma 2 P \~s C 

C w^n E : K and P \~s B B w^n F : K. By the induction hypothesis 
r \~s B w^n B : K and P \-g B w^n B : K. Finally, E = F = G hj 
Determinacy. 

2. The proof is by induction on the derivation of T hs A <w B : K. 
sws-Top Then B = T*, and HV(A) undefined, which means that A is not 

a type application or a type variable. Therefore the only rule to derive 
P \~s T* <w A : K is sws-Top, which means that A = T*. By Lemma 17 
and Determinacy, P \~s 4V w^n B* : *■ 

sws-TApp We are going to show that this case is not possible. Assume that 
it is. We have that A = A(Ai, . . . , A^) and B ^ W(Ai, . . . , Am)- By 
Upper Bound (Lemma 3), P \~s P{X)(Ai, . . . ,Ajn) < B : K, and by 
transitivity P \~s P{X){Ai , . . . , A™) < A(Ai, . . . , A™) : K, which is a 
contradiction, by Lemma 6. 
sws-Refl By the premise. 

sws-Arrow The only rule to derive P \~s B <pp A : K is also sws-Arrow, so 
the result follows by the induction hypothesis and st-Arrow. 
sws-All The only rule to derive P \~s B <w A : K is also sws-All. The pre- 
mises are, U, X<Ai:K \-g A 2 < B 2 : a, P, X<Bi:K' \-g B 2 < A 2 : a, 
P \~s Ai,B\ Bi : K", and P \~s K,K' X" . By Context Con- 

version (Lemma 12), P, X<Ai.K hs B 2 < A 2 : a. We can now apply 
the induction hypothesis to obtain P, X<Ai'.K \~s A 2 ,B 2 C '2 : a. 

Finally, P hs {yX<Ai:K.A 2 ),{\/X<Bi:K' .B 2 ) ~^n 'iX<Ci:K".C 2 : a, 
by st-All. 
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sws-tabs Similar to case sws-All. □ 

Theorem 1 (Anti-Symmetry). If F \~ A < B : K and F \~ B < A : K then 
F'r A =fi B :K. 

Proof. By Soundness (Theorem 3), F \~s A < B : K', F \~s B < A : K', and 
F \~s K . By Proposition 7, F \~s A,B C* : K' . By Completeness and 

symmetry of kind equality F \~ K' =fs K . By Completeness F \~ A =/3 C : K' and 
F \- B =p C : K' . Finally, by T-Eq-Sym, t-Eq-Trans, and S-K-Conv, F \~ A =p B : K . 

□ 

4.4 Equality by Subtyping 

A consequence of the proof of Anti-Symmetry of the typed operational semantics 
is that F \~s A < B : K and F \~s B < A : K then the derivations do not 
contain any uses of the promotion rule sws-TApp. This fact is used to show that: 

Lemma 8. If F \~ A =js B : K then the derivation of F \~ s A < B : K' does 
not contain a,ny uses o/sws-TApp, where F \~s K K' . 

Proof. By Completeness and by the proof of Anti-Symmetry for the typed ope- 
rational semantics. □ 

Furthermore, if one of the subtyping derivations does not use sws-TApp then 
the other derivation does not either. 

Lemma 9. 

1. If it is not the case that F \~s A C : K' , C ^ T* (ind F \~s B T* : K' 
then if the derivation of F \~ s A < B : K' contains no uses o/sws-TApp, then 
F \~s B < A : K' and the derivation contains no uses o/sws-TApp. 

2. If it is not the case tha,t A ^ T* and B = T* then if the derivation of 
F \~s A <w B : K' contains no uses o/sws-tapp, then F \~s B <w A : K' 
and the derivation contains no uses o/sws-TApp. 

Proof. By simultaneous induction on the derivations oi F \~ s A < B : K' and 
F \~s A <w B : K', using that Context Conversion (Lemma 12) creates no new 
uses of sws-TApp in the cases sws-All and sws-TAbs. 

In the light of Lemmas 8 and 9, an algorithm may implement equality and 
subtyping simultaneously: to check if A =,g it is not necessary to check both 
A < B and B < A, but is enough to check whether the algorithm uses a step 
corresponding to promotion (the application rule) in showing A < B. If it does 
not then A =js B. 

The only exception is the case in which the derivation does not contain 
promotion and is of the form: 

A —»w C C ^ T* B — *-w T* C T* 

A<B 

where C <pp T* is obtained by the rule sws-Top. This is the only case in which a 
subtyping derivation not containing promotion relates two types which are not 
/?-equal. To exclude this case Lemma 9 Case 1 has the added restrictions on the 
normal forms of A and B. 
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5 Replacing Equality with Subtyping 

In this section we sketch a presentation of without judgemental equality or 
conversion: we simply add /^-expansion to the left- and right-hand sides of the 
subtyping judgement, and allow the rules for transitivity and compatible closure 
of subtyping to handle the extension to full /?-equality. To our knowledge, this 
is the first such presentation for a higher-order subtyping calculus. This leads to 
simplifications in the proof of soundness for models of the system, because we 
remove equality and all of the rules of inference that rely on it. 

We write F \~< J for judgements derived in the system without an equality 
judgement, and B . K \i F \~^ A < B . K and F\~^ B < A : K. 

5.1 Modifications to Inference Rules 

The system requires several changes in order to accommodate the removal of 
equality. First, the inclusion of the equality relation in subtyping, and in parti- 
cular reflexivity and the rule for /^-equality, needs to be recovered in the rules 
for subtyping itself: 

r A : K 
Fh^ A< A: K 

F,X<Ai:Ki^^A2:K2 F C < Ai : Ki 
F A2[X^C] < D : K2[X^C] 

F {AX<Ai:Ki.A2) C < D : K2[X^C] 

The rule se-BetaR similarly introduces a /^-expansion on the right-hand side. 
Next, the rule for subtyping applications does not allow the argument to 
vary. This restriction is for a good reason: allowing subtyping in the argument 
is unsound. However, we need to recapture the behavior of equality in allowing 
equal types on the right-hand side of an application: 

Fh^A<B: nX<E:Ki.K2 F 'r^ C ^ D : Ki 
F'^^C <E :Ki 

F'^^ AC <BD : K2[X^C] 

Showing the soundness of this rule for the system with the usual rule S-TApp 
will need to use anti-symmetry somewhere, because S-TApp requires /?-equality of 
the arguments of the type application. 

Finally, we still need an equivalence relation on kinds in order to allow the 
kinded judgements to vary with respect to equal kinds. We simply lift the equi- 
valence induced by subtyping to kinds. Otherwise, the rules for the new system 
arise by replacing equality by the new relation ^ . 

5.2 Changes to Metatheory 

We can now show several basic results relating the old presentation with judge- 
mental equality and the new one without it. 



(sE-TApp) 



(sE-BetaL) 



(sE-Reel) 
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First, we can show that equality can be captured by the equivalence relation 
induced by subtyping. 

Definition 3. Let r\~^A = B:K he defined using the same rules of inference 
as judgemental equality for F \~ A = B : K , hut replacing uses of F \~ A : K , 
F \- A < B : K, and so on hy their corresponding judgement F \~^ A : K , 
F \-^ A < B ■. K and so on. 



Lemma 10. If F \~^ A = B : K then F A ^ B : K . 

This lemma, plus some minor modifications to the original proof, leads to 
a proof of Completeness of the new system F \~^ J for the typed operational 
semantics. 

Proposition 1 (Completeness). 

1. F \~s A a w^n C : K implies F \~^ A : K , F \~^ A =f 3 B : K and 
FL^A=pC:K. 

2. F \~s A < B : K im,plies F \~^ A, B : K and F \~^ A < B : K . 

We now consider Soundness of F J for the typed operational semantics. 

Theorem 2 (Soundness). 

1. If F \-^ A : K then there are K' , B and C such that F \~s K 1^' and 
F \~ s A B w^n C : K' , 

2. If F \-^ A B : K then there are C and K' such that F \~s K Kf 
FLs A^nC : K' and FLs B : K' . 

3. If F \-^ A < B : K then there is a K' such that F \~s K o/nd 

FLs A<B :K' . 

It is probably true that the alternative presentation without equality could 
be developed by itself, with no reference to equality or anti-symmetry. In our 
setting, this would require a small change in the rule sws-Refl, to allow type 
arguments that are subtypes of each other on the left- and right-hand sides 
rather than the same normal form. However, the proof of the equivalence of this 
system with the traditional presentation with equality relies on anti-symmetry. 

6 Conclusions 

We have solved a long-standing open problem, giving a general approach to 
showing the anti-symmetry of higher-order subtyping. To our knowledge, this is 
the first proof of anti-symmetry for higher-order subtyping: even for systems like 
Ff., defined roughly ten years ago, the result was unknown. We have also showed 
this result for the subtyping relation of Tf, a higher-order lambda calculus with 
bounded operator abstraction. Typed operational semantics was essential to our 
proof, especially the refined understanding of the behavior of types as embodied 
in the extended rule st-TApp. 
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This result has several consequences for the metatheory of type systems with 
higher-order subtyping. First, it implies that we can now prove the Minimum 
Types Property, as opposed to the Minimal Types Property which is normally 
proved. For our system, we can now say what is the relation between all the 
minimal types of a given term; before we knew that any two minimal types were 
subtypes of each other, we can now say that they are /?-equal. Secondly, we can 
simplify the basic judgements of type systems with subtyping by eliminating 
either judgemental equality or conversion. 

A practical consequence of this work is that the implementation of higher- 
order type systems with subtyping can be simplified, because we no longer need 
to implement either judgemental equality or conversion. 
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A Results from [15] 

Lemma 11 (Adequacy). 

1. If TPs K K' then K K' . 

2. If r Ps A B w^ii C : K then A B -n>g C . 

Lemma 12 (Context Conversion). If T Ps K K' and T Ps A A' : K' and 
r, X<A:K Ps J then T, X<A':K' Ps J. 

Lemma 13 (Determinacy). 

I If r Ps A B C : K and r Ps A D B ■ K' then B = D,C=E 
and K = K' . 

2. If TPs K K' and T hs A K" then K' = A". 

Lemma 14 (Snbject Rednction). A hs' A B w^n C : K and A -^g A' imply 

there is a B' such that B -^g B' and T Ps A' B' C : K. 

Lemma 15 (Snbtyping Conversion). Suppose that T Ps A <w B : K. Then: 

1. If r Ps A, A' w^n C : K then T Ps A! <vv B : K. 

2. If r Ps B, B' w^n c : A then TPs A B' : K. 

Similarly for T Ps A < B : K . 

Proposition 2 (Completeness). 

1. r Ps K K' implies T P K and T P K =g K' . 

2. A hs A B w^n C : A implies A h A : A, A h A =g B : A and A h A =g C : 

K. 

3. A hs' A <w B : K implies T P A < B : K. 

j. r Ps A < B : K implies T P A, B : K and T P A < B : K . 

Theorem 3 (Sonndness). 

1. If r P K then there is a K' such that T Ps K K' ; if T P K =g K' then there 
is a K" such that T Ps K K” and A Ps K' A". 

2. If r P A : K then there are K' , B and C such that T Ps K K' and A Ps 

A B w^n C : K' ; if T P A =g B : A then there are C and K' such that 
TPs K K', TPs A ^nC :K' a,nd T Ps B C : K' . 

3. If r P A < B : K then there is a K' such that T Ps K A' and T Ps A < B : 
A'. 

Lemma 16 (Upper Bonnd). 

If TP X(Ai, ...,Ara):K then A h r{X){Ai,. . . , A^) : A. 



Lemma 17. If T Ps A < B : K then T Ps A : K and T Ps B : K . 
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B Rules for 

Equality Rules 

The equality rules for include typed rules of inference stating that F \~ A =/3 
if : A is an equivalence relation and a compatible closure for A ^ B, VX<Ai:K.A 2 , 
AX<Ai:K.A 2 , and type application, in addition to the following two rules: 

r, X<Ai:Ki 'TA2-.K2 r'rC<Ai:Ki 
r h {AX<Ai:K-i.A 2 )C =,3 A 2 [X^C\ : Aa[A^q 

FhA=pB:K F'rK^pK' 

A=!3 B ■. K' 



(T-Eq-Beta) 

(T-Eq-Conv) 



Subtyping Rules 



The subtyping rules for include typed rules stating that F \- A< B Kis transitive, 
that it includes the relation F \- A =/j B : K, that Tjf is greater than all A of kind K, 
and the following rules: 



Fi, X<A:K, F 2 \~ ok 



Fi, X<A:K, Ta h A < A : A 



(S-TVar) 



F \~ Bi < Ai : * Ah A 2 A B 2 : * 
A h Ai—!'A2 a Bi^B2 : * 



(S- Arrow) 



A, X<C:K h A < if : * 

A h VX<C:K.A < 'iX<C-.K.B : * 



(S-All) 



A, X<C-.Ki h A < A : Aa 
A h AX<C:Ki.A < AX<C:Ki.B : AA<C':Ai.Aa 

AhA< A: AA<A:Ai.Aa A h (7 < A : Ai 
AhA(7< AC: Aa[A^q 

AhA<A:A F^ K =13 K' 

A h A < A : A' 



(S-TAbs) 



(S-TApp) 



(S-K-Conv) 



C Rules for the Typed Operational Semantics 



Type Reduction Rules 



A hs' ok 

A h S' 1 f A w f A : A 

F^sA-.K' F^sK^^K' {X<A:K)eF 
A hs A A w^n A : K' 

A hs A A (Ai, . . . , A^) : ATAC: Ai. Aa A hs A(A) D : K' 

A hs A(Ai, . . . , Am, F) : K A hs A A w^n A : Ki 
F^sE<wC:Ki A hs Aa [A ^A] A 

Ahs AA^^ A(Ai,...,A^,A) A(Ai, . . . , A^, A) : A 



(ST-Top) 



(ST-TVar) 



(ST-TApp) 
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r \~s Ai Bi : 'k r \~s A2 B2 : * 

r \~S (Al— ?-A2) (Ai— ?-A 2) w^n [Bi^B2) '■ * 

r hs A G : a:' r'rsK^r.K' F, X<A:K hs B D : * 
r hs \fX<A:K.B \fX<A-.K.B VX<C:K'.D : * 

r hs A G : A:( r hs ATi K[ r, X<A:Ki hs B D : K2 
r \-sAX<A:Ki.B ~^^AX<A:Ki.B ^^^AX<C:K[.D : nX<C:K[.K 2 

r^s B AX<A:Ki.D : nX<A:K[.K2 F 'rs K2[X^C\ K 
F 'rs D[X^C] B F-. K F'rs C <A-. K[ 

F 'rs B G B w^n B : K 

Weak-Head Subtyping and Subtyping 

G hs' A w^ii B : * HV (A) undefined 

F \~s A T* : * 

F hs X{Ai , . . . , A^) w^n C:K Fhs F{X) -^n B : K' 

Fhs B{A^,...,Am) E : K F hs B A : K 
A ^ X (Ai , . . . , Am ) 

F \~s AT(Ai, . . . , Am) <w A : K 

F \~s AT(Ai, . . . , Am) w^n B : K 
F \~s X(Ai, . . . , Am) <w A{Ai, . . . , Am) ■ K 

F hs Bi < Ai : * F hs A 2 A B 2 : * 

F \~s Ai— >A2 <w Gi— )-i>2 : * 

F, X<Ai:K hs A2 < G2 : * G hs K, K' -^n K" 

F^s Ai,Bi -^nC-.K” 

G hs VX<Av.K.A2 <w VA<Gi:A'.G2 : * 

G, X<Ai:Ki hs A 2 <B 2 -.K 2 F hs Ki, K) K'{ 

Fhs A^,Bi ^,G: Af 

G hs AX<Ai:Ki.A2 <w AX<Br.K[.B2 : nX<C:K'{.K2 
G hs A G : A G hs G G : A G hs G <vk G : A 



(ST-Arrow) 

(ST-All) 

(ST-TAbs) 

(ST-Beta) 

(SWS-Top) 

(SWS-TApp) 
(SWS-Refl) 
(SWS- Arrow) 

(SWS-All) 

(SWS-TAbs) 






(SS-Inc) 
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Abstract. We present an extension of type theory with a hxed point 
combinator Y . We are particularly interested in using this Y for doing un- 
bounded proof search in the proof system. Therefore we treat in some de- 
tail a typed A-calculus for higher order predicate logic with inductive ty- 
pes (a reasonable subsystem of the theory implemented in 
[Dowek e.a. 1991]) and show how bounded proof search can be done in 
this system, and how unbounded proof search can be done if we add 
Y . Of course, proof search can also be implemented (as a tactic) in the 
meta language. This may give faster results, but asks from the user to 
be able to program the implementation. In our approach the user works 
completely in the proof system itself. We also provide the meta theory 
of type theory with Y that allows to use the hxed point combinator in 
a safe way. Most importantly, we prove a kind of conservativity result, 
showing that, if we can generate a proof term M of formula yy in the 
extended system, and M does not contain Y, then M is already a proof 
of yy in the original system. 



1 Introduction 

In theorem provers based on type theory, we are always looking for an explicit 
proof-object, i.e. if we want to prove the formula cp, we are in fact looking for a 
term M such that M : p. [M is of type p.) Such a term M then corresponds 
to a derivation in standard natural deduction (and can be translated to a proof 
in natural language text). This has the advantage that, besides the proof engine 
telling us that the formula is provable, the engine also produces - interactively 
with the user - a proof term that can be checked independently. As a matter 
of fact, the program for checking a proof object is relatively simple: it is a type 
checking algorithm for a strongly dependent-typed language. This conforms with 
the basic idea that finding a proof is difficult - hence this is done interactively, 
whereas verifying an alleged proof is simple. 

The interaction with the proof engine usually exists in a set of goal-directed 
tactics. So, we try to construct a proof-term by looking at the structure of the 
goal to be proved. Of course, one can define more powerful tactics, especially 
when we are dealing with a decidable fragment of the logic. An example is the 
‘Tauto’ tactic in Coq, that automatically solves (i.e. constructs proof-terms) for 
first order propositional logic (and a bit beyond). 
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Tactics like Tauto are built-in in the engine, but the user can also define 
his/her own tactics, by programming them in the meta-language of the proof 
system. To do so, the user has to know the meta-language and the way the 
proof system is implemented in it quite well. This makes it in general quite hard 
to program one’s own tactics. In this paper we present a kind of ‘tactic’ that 
can be programmed in the proof system itself, which allows searching for proof- 
terms. So no knowledge of the implementation is required. We also present two 
examples of its use and the underlying explanation of the method in terms of 
the proof system (the typed A-calculus that is implemented in the proof engine) . 

The method we present can also be implemented as a tactic in the meta- 
language, and then it can certainly be made much faster. We believe that it is 
nice that a ‘search-tactic’ can be safely implemented in the language of the proof 
system itself, which makes it much easier to apply for a user. 

Due to the expressiveness of typed A-calculus, a lot of ‘proof search’ can be 
defined already in the proof system itself. E.g. if we have a decidable predicate 
Q over nat (i.e. a proof term P of type \/n:n3X.Q{n) V then we can do 

a hounded, search for an element rn < N such that Q[m) holds. The idea is to 
iterate T* up to A' times until we find an m : nat for which Pm = ini t; then 
t : Q[m). Note that this rn will also be the smallest n for which Q{n) holds. 

An unbounded, search can also be defined if we add a fixed point combinator to 
the typed A-calculus. In the example above: using the fixed point combinator, we 
can iterate P without bound, until we find an rn : nat such that Pm = ini t, and 
then Q[m) holds. Adding a fixed point combinator is of course a real extension 
of the proof system: as the underlying typed A-calculus is strongly normalizing, 
no fixed point combinator can be defined in it. In this paper we show that adding 
a fixed point combinator Y is safe. This is done by showing that the addition 
of Y yields a conservative extension. That is, if denotes derivability in some 
typed A-calculus and bs+y denotes derivability in S extended with Y , then 

r hs+y M : PYs M : A, 

for r,M and A not containing Y. (Of course we do not have conservativity 
in the logical sense: 3m{P b.s+y M : A) ^ 3m{P \~s M : A), for T and A 
not containing Y .) Now, in order to show that adding Y is safe, let (p be a 
formula in a certain context P (both cp and F in the system S). Suppose we 
have constructed a proof-term P : cp m S Y , so P may possibly contain Y . 

Now we let P reduce until we find a term P' that does not contain Y . Then, 
due to the subject reduction property for S Y Y (which we will prove), we have 
P bs+y P' '• A and hence F \~ s P' '■ P Yj conservativity. 

How exactly the fixed point combinator is used to perform proof search will be 
detailed in the paper by some examples. The proof search is in fact performed 
by the reduction of the fixed point combinator, so, in terms of the previous 
paragraph, the search is in the reduction from P to P' . 

The conservativity of S' + T over S will be proved for arbitrary functional 
Pure Type Systems S. Functional Pure Type Systems cover a large class of 
typed A-calculi, among which we find the simple typed A-calculus, dependent 
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typed A-calculus, polymorphic A-calculus (known as system F) and the Calculus 
of Constructions. The core of the proof system of Coq is also a functional Pure 
Type System. We believe that the conservativity of S' + T over S will extend to 
the whole proof system of Coq, which is a functional Pure Type System extended 
with inductive types. 



2 Theorem Proving in Typed A-Calculus 



In this section we briefly introduce the notion of Pure Type System and give 
some examples of how theorem proving is done in such a system. Our main focus 
will be on the system APREDcj. This is a typed A-calculus that faithfully repre- 
sents constructive higher order predicate logic. To motivate this we give some 
examples of derivable judgements in APREDcj. For more information on Pure 
Type Systems and typed A-calculus in general, we refer to [Barendregt 1992] and 
[Geuvers 1993]. 

Pure Type Systems or PTSs were first introduced by Berardi [Berardi 1990] 
and Terlouw [Terlouw 1989a], with slightly different definitions. The advantage 
of the class of PTSs is that many known systems can be seen as PTSs. So, many 
specific results for specific systems are immediate instances of general properties 
of PTSs. In the following we will mention a number of these properties. 



Definition 1. For S a set, the so called, sorts, C <S x <S (the axioms,) and 
TZ C S X S X S (the rules,), the Pure Type System X[S,A,TZ) is the typed X- 
calculus with the following deduction rules. 



(sort) h Si : S 2 

, , FY A:s 

(var) 

(weak) 

in) 

(A) 

(app) 



if (si,S2) G A 






F, x:A Y X : A 

FY A:s FY M :C 
F,x:AY M:C 

T h A : Si F, x:A Y B : S 2 
F Y Ux.A.B : S3 

F,x:AYM:B FYnx:A.B:s 
F Y Xx-.A.M : Hx:A.B 

FY M : Hx-.A.B FY N :A 
rh MTV : B[N/x] 

FY M :A FY B:s 



if {si, 82 , 83 ) € 7^ 



FY M:B 



A=pB 
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If S2 = Ss in a triple (81,82,83) € TZ, we write (81,82) € TZ. In these rules, the 
expressions are taken from the set 0/ pseudoterms T, defined hy 

T ::= 5 I V I (77V:T.T) | (AV:T.T) | TT. 

The pseudoterm A is typable if there is a context T and a pseudoterm B such 
that r \- A : B or T \~ B : A is derivable. 

In the following, we will mainly be dealing with the PTS APREDcj, which is 
defined as follows. 

APREDcj 

S Set, Type®, Prop, Type^ 

A (Set : Type®), (Prop : Type^) 

IZ (Set, Set), (Set, Type^’), (Type^’, Type^’), 

(Prop, Prop), (Set, Prop), (Type^, Prop) 

The idea is that Set is the sort (universe) of ‘small’ sets, Prop is the sort of 
propositions Type^ is the sort of ‘large’ sets (so Prop is a large set) and Type® is 
the sort containing just Set. 

We briefly explain the rules. The rule (Prop, Prop) is for forming the implica- 
tion: (p— t-i/i for cp/tf : Prop. With (Set, Type^) one can form Zl— tProp : Type^ and 
tProp : Type^, the domains of unary predicates and binary relations over 
A. (Type^,Type^) allows to extend this to higher order predicates and relations, 
like (j 4 — ^ Prop)— ^ Prop : Type^, the domain of predicates over predicates over A, 
and (j 4 — Prop)— ^ Prop : Type^. The rule (Set, Prop) allows the quantification 
over small sets (i.e. A with A : Set): one can form Ux:A.p (for A : Set and 
p : Prop), which is to be read as a universal quantification. (Type^, Prop) allows 
also higher order quantification, i.e. over large sets, e.g. iTT’:kl— tProp.(p : Prop. 
Using (Set, Set) one can define function types like the type of binary functions: 
A^A^A, but also (kl— tkl)— tkl, which is usually referred to as a ‘higher order 
function type’. 

We motivate the definition by giving some examples of mathematical notions 
that can be formalised in APREDcj. 

Example 1 . 

1. nat:Set,0:nat, >:nat— tnat— ^Prop h Ax:nat.x>0 : nat— tProp. Here we see 
the use of A-abstraction to define a predicate. 

2. nat:Set,0:nat,S':nat—tnatl- 

iTT’:nat— tProp.(T’O)— t(iTx:nat.(T’x— tU(S'x)))— ^iTx:nat.T’x : Prop. This is 
the induction formula written down in APREDcj as a term of type Prop. 

3 . H:Set, R:kl— ^Prop h IIx,y,z:A.Rxy^Ryz^Rxz : Prop. (This formula 
expresses transitivity of R.) 

4 . H:Set h XR,Q:A^A^Prop.IIx,y:A.Rxy^Qxy : 

(H— tH— tProp)— t(H— ^kl— ^Prop)— ^Prop. (This relation between binary relati- 
ons on kl expresses inclusion of relations.) 

5. A:Set\- Xx,y:A.nP:A^Prop.{Bx^By) : kl— tkl— tProp. 

This binary relation on kl is also called ‘Leibniz equality’ and is usually 
denoted by =a, denoting the domain type explicitly. 
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6. A:Set,x,y:A \~ Xr : x y .XP:A^Pro’p.r{Xz:A.Pz^Fx)iXq:Fx.q) : x 
y^y =A The proof of symmetry of Leibniz equality. 

The rules of Pure Type Systems give the flexibility to define subsystems in 
a rather easy way by restricting the set P. The Pure Type System APRED2, 
representing second order predicate logic, is defined from APREDot by removing 
(Type^, Type^) from the P. (Then we can no longer form higher order predicates 
and relations.) To obtain first order predicate logic, we remove (Type^, Prop) from 
APRED2, which forbids quantification over second order domains (predicates, 
relations). Other well-known typed A-calculi that can be described as a PTS are 
simple typed A-calculus, polymorphic typed A-calculus (also known as system 
E) and the Calculus of Constructions. 

2.1 Properties of Pure Type Systems 

An important motivation for the definition of Pure Type Systems is that many 
important properties can be proved for all PTSs at once. Here we list the 
most important properties and discuss them briefly. Proofs can be found in 
[Geuvers and Nederhof 1991] and [Barendregt 1992]. Here we only mention the 
ones that are needed for the proof of conservativity of the extension of a PTS 
with a fixed point combinator. 

In the following, unless explicitly stated otherwise, h refers to derivability in 
an arbitrary PTS. Eurthermore, C is a correct context means that P \~ M : A 
for some M and A. 

Proposition 1 (Church- Rosser (CR)). 

The (3-reduction is Church-Rosser on the set of pseudoterms T. 

Proposition 2 (Correctness of Types (CT)). 

If r \- M -.A then F A : s or A = s for some some s £ S. 

Proposition 3 (Subject Reduction (SR)). 

If r \- M : A and M — ys-p N, then P \~ N : A, 

Proposition 4 (Predicate Reduction (PR)). 

If r M : A and A — ys-y A' , then F M : A' . 

There are also many (interesting) properties that hold for specific PTSs or 
specific classes of PTSs. We mention one of these properties. 

Definition 2. A PTS X[S,A,P) is functional, also called, singly sorted, if the 
relations A and R are functions, i.e. if the following two properties hold 

Vsi, S 2 , 4 e <S(si, 4), (si, 4) e d S 2 = s4 
Vsi,S 2,S3,4 e <S(si,S2,S3),(si,S 2,4) € 7?. =f S 3 = S 3 

The PTSs that we have encountered so far are functional. So are all PTSs 
that are used in practice. Eunctional PTSs share the following nice property. 
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Proposition 5 (Unicity of Types for functional PTSs (UT)). 

For functional PTSs, if F \~ M : A and F \~ M : B, then A =/3 B. 

A less interesting, very basic, property, but one needed in a proof later, is: 

Proposition 6 (iT-generation). Let F h IIxiA.B : s. Then there exists a rule 
(si, S2, s) G TZ such that T h A : si and F, x:A \~ B : S2 

An important property of a type system is that types can be computed, i.e. 
there is an algorithm that given F and M , computes an A for which F \~ M : A 
holds, and if there is no such A, returns ‘false’. This is usually referred to as the 
type inference problem. 

There are two important properties that ensure that type inference is de- 
cidable: Church-Rosser for /?-reduction and Normalization for /?-reduction. Of 
course, when adding a fixed point combinator, normalization is lost. In the next 
section we will discuss why, for the relevant fragment of the system, type checking 
is still decidable. 



2.2 Inductive Types 

We briefly treat the extension of APREDcj with inductive types, by giving some 
examples and how they are used. APREDcj + inductive types does not fully 
cover the type system of Coq, but quite a bit of it. At least it covers enough to 
be able to describe our examples of proof search in the next section. The scheme 
we give is roughly the one first introduced in [Coquand and Mohring 1990] and 
implemented in [Dowek e.a. 1991]. 

We first give the (very basic) example of natural numbers nat. One is allowed 
to write down the following definition. 

Inductive definition nat : Set := 

0 : nat 

S : nat— tnat. 



to obtain the following rules. 



(elimi) 



r h A : Set r h /i : A T h /2 : nat^A^A 
F h ReCnat/1/2 : nat-^A 



(elim2) 



FSB: nat^Prop F L fi : BO 
r h Recnat/1/2 



r f2 '■ T[x:iiat.Bx^B[Sx) 
iTx:nat.Px 



(elims) 



r h A : TypeP P h /i : A F h f 2 : nat^A^A 
F h ReCnat/1/2 : nat-^A 



The rule (elimi) allows the definition of functions by primitive recursion. The 
rule (elim 2 ) allows proofs by induction. The rule (elims) allows the definition of 
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predicates (on nat) by induction. To make sure that the functions defined by the 
(elim) rules compute in the correct way, Rec has the following reduction rule. 

ReCnat/1/20 — >1, fi 

The additional /.-reduction is also included in the conversion-rule (conv), where 
we now have as a side-condition ‘kl B\ The subscript in ReCnat will be 
omitted, when clear from the context. 

An example of the use of (elimi) is in the definition of the ‘double’ function 
d, which is defined by 



d := RecO(Ax:nat.Aj/:nat.S'(S'(j/))). 

Now, do — >>131, 0 and d[Sx) — »/3i, S{S\dx)). The predicate of ‘being even’, 
even(— ), can be defined by using (elims): 

even(— ) := Rec(T)(Ax:nat.Ao;:Prop.-iQ;). 

Here, —icp is defined as (p— ^T. We obtain indeed that 

even(O) - —^ 13 ^ T, 
even(S'x) — -ieven(x) 

An example of the use of (elim2) is the proof of 77 x:nat.even((ix). Say that true 
is some canonical inhabitant of type T. Using even(d(S'x)) -i-ieven(dx) we 
also find that the term Ax:nat.A/j:even(dx).A2;:-ieven((ix).2;//. is of type 
iTx:nat.even((ix)— teven(d(S'x)). So we conclude that 

h Rectrue(Ax:nat.A/i:even((ix).A2;:-ieven((ix).2;/j) : iTx:nat.even((ix). 

Another well-known example is the type of lists over a domain D. This is 
usually defined as a parametric inductive type, taking the domain as a parameter 
of the inductive definition. The type of parametric lists can be defined as follows. 

Inductive definition List : Set— tSet := 

Nil : i7D:Set.(ListD) 

Cons : i7D:Set.(ListD)— t(ListD). 

Which generates the following elimination rules and reduction rule. 

, , r h i; : Set r h A : Set r h /i : A r h /2 : (Listi;)^i;^A^A 

rhR,cu./,/,:(ListC)^.4 



rhD:Set rh/i:P(NilD) 

(elim 2 ) r \- F : (List/4)— ^Prop T h /2 : II x:{y\stD) .11 d:D .Fx^ F{Qonsxd) 

r h Rec List/1/2 : IIx:{L\stD).Fx 



(elims) 



r P/j : Set r h A : Type^ T h A : A T h /2 : (ListT>)^T>^A^A 
r h RecList/1/2 : (ListD)-^A 
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Recust/i/2(Nili>) — fi 
RecList/i/2(Consi;/d) /2/cf(Recust/i/20 

Note that to be able to write down the type of the constructors Nil and Cons, 
we need to add the rule (Type®, Set) to APREDcj. The constructors Nil and Cons 
have a dependent type. It turns out that this situation occurs more often. We 
treat another interesting example: the N-type. Let B : Set and Q : R— ^Prop and 
suppose we have added the rule (Prop, Set) to our system. 

Inductive definition /x : Set := 

In : nz:B.[Qz)^jj,. 

r'r A-.Set r h /i : nz:B.{Qz)^A 

r h Rec^/i : jj,^A 



(elim 2 ) 



r \- B : /X— tProp F \~ fi : II z:B .Ily.^Qz) .Fi\nzy) 
r h Rec^/i : IIx:ij,.[Px) 



(elims) 



r h ^ : TypeP T h /i : nz:B.{Qz)-^A 

r h Rec^/i : /X— 



The x-reduction rule is 



Rec^/i(ln6i5f) — fibq 

Now, taking in (elimi) B for A and \z:B.\y:[Qz).z for fi, we find that 
Rec{Xz:B.Xy:[Qz).z){\nbq) — » b. Hence we define tti := Rec[Xz:B.Xy:{Qz).z). 
Now, taking in (elim2) Ax:/x.Q( 7 Tix) for P and Xz:B ,Xy:[Qz) .y for /i, we find that 
R&c[Xz:B .Xy:[Qz).y) : Uz:ij,.Q['Kiz). Also, R&c[Xz:B.Xy:[Qz).y)[\nbq) — » q. 
Hence we define 7x2 := Rec[Xz:B.Xy:[Qz).y) and we remark that /x together 
with In (as pairing constructor) and tti and 7x2 (as projections) represents the 
A-type. In the rest of this article, we will just use the A-type, and will write 
(n,p) for the pair of n and p. 

An example of an inductively defined proposition is the disjunction. Given p 
and Ip of type Prop, cp\/ 'tp can be defined as follows. 

Inductive definition pV 'tp : Prop := 

ini : p^{p V tp) 
inr : tp^{p V %p) 

We add the (Prop, Set) rule to APREDcj, because we want to have the first 
two elimination rules. 



(elimi) 



r h A : Set r h /i : p^A T h /2 : tp^A 
r h Recv/1/2 : {p V V’)-tA 



(elim 2 ) 



FR P: Prop T h A : p-^P F R f2 : tp^P 
F R Recv/1/2 : (a V V')-tP 
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Recv/i/2(inl q) — fiq, 

Recv/i/2(inr g) — f2q. 



As usual we write 



case t of ini (p) ^ Mi 

inr I'p) =i> M2 



for Rec\y[Xp:(f.Mi)[Xp:tJj.M2)t. 

Similarly one can define the disjoint union of two small sets, A ^ for 
A, B : Set, inductively. We will ambiguously use the same notations for the 
constructors of A B. 



3 Proof Search in Type Theoretic Theorem Provers 



We treat two examples of proof search in Coq. We try to avoid using Coq-syntax 
and describe the examples in terms of APREDcj with inductive types. The first 
example is a search for a term n : nat such that Q(n) holds, where Q is a 
decidable predicate. So we let Q : nat— ^Prop and we assume we have a term 

B : iTn:nat.Q(n) V —‘Qin). 

Now, we want to iterate F to find the n and the proof of Q[n). First suppose 
that we hope to find the n before A, so we want to iterate F at most A times 
{N : nat). 

Definition 3 . For A : Set, a : A and n : nat we define Yff : (A— tA)— tA as 
follows. 

Yff^ := A/:A— tA.ReCnat®(^3^'ti.a.t./)n. 



The following is easily verified. 

Ya^f a, 

TT+V /(TT/), 

c/ /”(«). 

where f^{a) denotes, as usual, n times application of / on a. 

Now define 

F := A(/:nat— tnat.An:nat.case [Fn) of ini [p) n 

inr (p) =k g{n + 1). 




448 



H. Geuvers, E. Poll, and J. Zwanenburg 



So, F : (nat— ^nat)— ^(nat— ^nat). Now, let N : nat and let I := XxinaX.x. 
Then 



Yf^FO - 


0 


if PO- 


s 

1 — 1 
•H 


Q(0), 


yA'-ip’l _ 


Yf^-^Fl 


if PO- 


inr (p) 


“'Q(o), 


1 


if HI - 


ini (p) 


Q(i), 


Yj^-^F‘2 - 


Y^-2f2 


if HI - 


inr (p) 




2 


if P‘2 - 


ini (p) 


Q(2), 




Yf-^F3, 


if P2 - 


~^/ 3 , inr (p) 


~'Q(2), 


T/E(A - 1) - 


A — 1 


if P{N 


1) — ml (p) : Q{N 


Y^°FN - 


YjdFN 

N. 


if P{N 


1) — inr (p) : ^Q{N 



So, if Yj^ FO — n with n < N , then Q{n) holds and P{n) — ini (p) 
with p a proof of Q{n). If FO — N , then ~<Q{n) for all n < iV. 

The method above works if we know an upperbound to the n that we want to 
search for. Another option is to start a (possibly non-terminating) search. This 
can be done by adding the fixed point combinator to APREDcj with inductive 
types. We define the extension very generally for PTSs. 

Definition 4. Let S = X[S,A,TZ) be a PTS and let s be a sort of the system 
S . The system S' + T® is obtained by adding the following rule. 

PY A: s FY f : 
r h T®/ : A 

The fd-reduction is extended with 

We sometimes omit the superscript s, if we know which sort we are talking about. 
If we add T® for all sorts, we just talk about S pY . 

In APREDcj with inductive types and , we can now program an arbitrary 
proof search. (We omit the superscript Set.) With the above definition for F we 
obtain 

Y FI : nat 

and if Y FI — n with n a normal form, then we know that Q{n) holds and 
Pn — »/ 3 i,Y ini (p) with p : Q[n). (Moreover, we know that n is the smallest 
rn for which Q{rn) holds, but only on a meta- level: the proof term does not 
represent this information. If Y FI does not terminate, there is no n for which 
Q{n) holds.) 

We may wonder whether the extension of a type system with Y is safe. This 
will be the subject of the next section. Here we consider one more application 
of the proof search method, where we want to verify whether Q holds for n = 
0,1,. ..,W. 
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Suppose again we have our decidable predicate Q with P a proof term of type 
iTn:nat.Q(n) V ^Qi^n). If we want to prove that Q holds for n = 0, 1, . . . , fV, 
we do not just want to verify that fact, but also store the proof terms of 
Q(0),Q(1),. . . ,Q[N). Moreover, if Q(n) fails for an n < A^, we want to return 
this n. Now abbreviate 



List := List(Nx:nat.Q(x)). 



Define the function F as follows. 



F := Agr.Aninat.case P[n) of ini (p) =y (case g{nF 1) of 

ini (/) =y ini ((Cons(n,p)/) 
inr (m) inr (m)) 
inr (p) =y inr (n). 



Here, the type of g is nat— t(List + nat), with List as above, the type of lists over 
Nx:nat.Q(x). (For readability we have omitted the Set-parameter in Cons.) So, 

F : (nat— ^(List + nat))— t(nat— t(List + nat)). 



Now, iterating F 1 times on Ax:nat.inl (Nil) will either result in a sequence 



[(0,po), (l,pi), . . . , (N,pjv)] 

with Pi : Q{i) for each i, or in a term n : nat with n < N, Pn — inr (p) 
and p : ->Q(n). Obviously, in this example one will never wish to use the fixed 
point combinator, as we are doing a hounded, search. 

4 Meta-theory of Pure Type Systems with Y 

Most of the meta-theoretical properties of PTSs are not affected by the inclusion 
of a fixpoint combinator Y . (The obvious exception is strong normalization, of 
course!) In particular: 

Proposition 7 (Church- Rosser (CRy)). 

The (3Y -reduction is Church-Rosser on the set of pseudoterms T. 

Proposition 8 (Correctness of Types (CTy)). 

If F \~s^Y M : A then F \~s+y A : s or A = s for some some s £ S. 

Proposition 9 (Subject Reduction (SRy)). 

If F M : A and M — N , then F hsyv N : A, 

Proposition 10 (Unicity of Types for functional PTSs (UTy)). 

For functional PTSs, if F Fyyy M : A and F Fyyy M : B, then A =/ 3 y H- 

In addition to the properties above, to prove conservativity of Y we also need 
the (very basic) ones below. 
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Proposition 11 (iTy-generation). Let F IIx:A.B : s. Then there exists 

a rule (si, S 2 , s) e TZ such that F A : Si and F,x:A B : S 2 

Proposition 12 (axiomy-generation). 

Let F hsyy s : s' with s, s' € S . Then (s, s') G A. 

All the properties of PTSs with V above can be proved in exactly the same 
way as for PTSs. The trick to proving Conservativity (1 below) is to prove the 
following, slightly weaker, property. A direct proof of Conservativity by induction 
on derivations fails. 

Lemma 1. For functional PTSs, if F Ps+y M : A with F and M not contai- 
ning Y , then F \~ M : A' for some A' with A — »,gy A' . 

Proof. Induction on the derivation of F Ps+y M : A. The interesting cases are 
the abstraction and application rule: 

— Suppose the last step in the derivation is 

F Ps+y M : Bx-.A.B F P^y+y A : A 
F P*?+y MN : B[N/x] 

By the IH T P M : C for some C with LIx:A.B — »,gy C . So, (7 is a 
77-abstraction, say C = LIx’.A' .B' . Then A — Ys-gy A' and — Ys-gy B' . By 
Proposition 6, 7^ P AT si for some si. By the IH 7^ P A : A" for some A" 
with A — »,gy A" . As A =j 3 Y A" and A' ,A" do not contain Y , we conclude 
A' =p A" (using CR,gy). Hence 7^ P A : A' by the (conv) rule. Now, 
7^ P A7A : B'[N /x] by the (app) rule and indeed B[N /x] — »,gy B'[N /x\. 

— Suppose the last step in the derivation is 

F,x:A Psyy M : B F P.syy LIxiA.B : s 
P P.s+y Xx:A.M : LIx:A.B 

By the IH on the first premise F,x:A \~ M : B' for some B' with B — »,gy 
B' . Unfortunately we cannot use the IH on the second premise - F P.syy 
IIx:A.B : s - as IIx:A.B may contain Y . We reason as follows: 7^ P A : si 
(for some Si). By CT (Proposition 2), F,x:A B' : S 2 for some S 2 (i) or 
B' = s' for some s' (ii). Looking at these two cases: 

(i) As Ps^Cpg^^y we know 7^ Pg^yy A : si and F,x : A hs'yY B' : S 2 - Using 
SRy we find F Psyy LIx:A.B' : s. Combining this with Proposition 11 
and UTy we conclude (sy S 2 , s) G 7?.. So 7^ P LIxiA.B' : s. 

(ii) As PsCPyyy we know F Ps+y A : sy Using SRy we find F Ps^+y 
LIx.A.B' : s. Combining this with Proposition 11 and UTy we conclude 
(si,S 2 ,s) G TZ and F,x : A P.syy B' : S 2 for some S 2 . Since B' = s', 
s' : S 2 must be an axiom, so F,x : A \~ B' : S 2 - Hence F P LIx:A.B' : s. 

Now F P Xx'.A.M : LIx:A.B' by the (A) rule and LIx:A.B — »,gy LIx:A.B' . 



Conservativity is an easy consequence of the lemma above. 
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CorollEiry 1 (Conservativity for functional PTSs). 

Consider afunctional PTS. Let F hsyy M : A with F , M , and A not containing 
Y. Then F Y M : A. 

Proof. By the previous lemma F \~ M \ A' for some A' with A — Yspy A' . By 
CTy we have F hsyy ^4 : s or ^4 = s for some s G <S. In the second case, 
A' = A^S, so F\~M : j4. In the first case, T h j4 : s by the previous Lemma, 
so T h M : Ahj the conversion rule. 

With respect to the issue of decidability of type inference: in general, the 
addition of a fixed point combinator will make type inference undecidable. This 
is because Y allows us to define all partial recursive functions. So, if F : nat— ^nat 
is some closed term, representing a partial recursive function and we take T = 
P : nat— ^Prop, X : PO, then 



X : P{F0) iff FO = 0. 

So, a type inference algorithm would give us a decision algorithm for the value 
of partial recursive functions on 0, quod non: type inference is undecidable. 

Nevertheless, we still want to be able to edit the term YF that defines our 
proof search. That is, we would like to be able to interactively construct Y F 
and have it type checked by the proof engine. If we look back at the examples 
in Section 3, we see that the ‘proof search terms’ YF that are given here can be 
type checked: If we apply the usual type-checking algorithm to these terms, the 
T-reduction, which is the only possible source for infinite reductions (and hence 
undecidability), is never used. 

To be more precise: the proof search terms that we have constructed can all 
be type-checked in the system APREDcj, where Y is treated as a constant that 
takes a term of type A^A to a term of type A. (The APREDcj-type-checking 
algorithm applies immediately to this small extension. Alternatively one could 
extend APREDcj with the rule (Type®, Set). Then put Y : ITa:Set.(a^a)^a in 
the context and use the type-checking algorithm for this extension of APREDw.) 

This is a general situation: in the phase of constructing the proof search term 
we can treat T as a constant (without reduction behaviour). So then we are de- 
aling with well-known type systems. When we have constructed the proof search 
term, we let it reduce and if this results in a normal form, the conservativity 
property. Corollary 1, guarantees that we have found a proof in the original type 
system. 

5 Conclusions and Related Work 

We have presented a method for proof search inside the proof system of higher 
order predicate logic with inductive types. We have tested our method by some 
examples using the proof engine Coq. See [Zwanenburg e.a. 1999] for the exam- 
ples; the methods turn out to be reasonably fast. In our first example we are 
looking for a ‘witness’ n of the property Q, using FO, which iterates F up to 
N times, starting from 0. One could do this similarly in the meta language of the 
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proof system (the implementation language), which may be faster, but also re- 
quires a lot of knowledge of the implementation and experience in programming 
in the meta-language. 

We have also presented the underlying theory, why doing an unbounded se- 
arch (by adding a fixed point combinator) does not spoil the logical proof system. 
The addition of a fixed point combinator to the Calculus of Constructions (CC) 
has also previously been studied in [Audebaud 1991]. His goal is to overcome the 
problem with the second order definable datatypes in CC, so he is using the fixed 
point mainly to be able to define data types (of type Set in our system) that have 
the desirable properties. We don’t have to do that, because we use the extension 
with inductive types, which provides us with the necessary data types. Moreo- 
ver, we are especially interested in using the fixed point combinator to define 
(potentially) infinite computations to search for witnesses and proof-objects. 
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Abstract. We present a definition of untyped A-terms using a hete- 
rogeneous datatype, i.e. an inductively defined operator. This operator 
can be extended to a Kleisli triple, which is a concise way to verify the 
substitution laws for A-calculus. We also observe that repetitions in the 
definition of the monad as well as in the proofs can be avoided by using 
well-founded recursion and induction instead of structural induction. We 
extend the construction to the simply typed A-calculus using dependent 
types, and show that this is an instance of a generalization of Kleisli tri- 
ples. The proofs for the untyped case have been checked using the LEGO 
system. 

Keywords. Type Theory, inductive types, A-calculus, category theory. 



1 Introduction 

The metatheory of substitution for A-calculi is interesting maybe because it 
seems intuitively obvious but becomes quite intricate if we take a closer look. 
[Hue92] states seven formal properties of substitution which are then used to 
prove a general substitution theorem. When formalizing the proof of strong nor- 
malisation for System F [Alt93b,Alt93a] the first author formally verified five 
substitution properties quite similar to those of [Hue92]. 

Therefore it seems a good idea to look for a more general and elegant way to 
state and verify the substitution laws. Obviously, this is also related to the way 
lambda terms are presented. 

We find a partial answer in the work of Bellegarde and Hook [BH94] who 
take the view that lambda terms should be represented by an operator Lam € 
Set — t Set, where Set denotes the universe of sets, such that Lam(A) is the set 
of A-terms with variables in X . This corresponds to the presentation of terms in 
universal algebra as an operator Term € Set — ^ Set. The substitution laws are 
captured by verifying that Lam can be extended to a monad or equivalently to 
a Kleisli triple (cf. Section 2.1, see also [Man76,Mog9f]). 

In this paper we are going to revise and extend the work of Bellegarde and 
Hook in the following ways: 
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— The presentation of Lam, see Section 3.2, is improved by using a heteroge- 
neous datatype^, i.e. there are no meaningless terms in our representation. 
Heterogeneous datatypes have already been discussed in [BM98], where they 
are called nested datatypes and modelled by initial algebras in functor ca- 
tegories, which seems unsatisfactory. Building on this approach, in [BP99] 
heterogeneous definitions of untyped A-terms are investigated. 

— Repetitions in the definition of the monad and in the verification can be 
avoided by using well founded recursion (along a primitive recursive well- 
ordering) instead of structural recursion, see section 4. 

— The development has been verified using the LEGO system, see section 4.5. 

— We also extend this approach to the simply typed A-calculus, see Section 5. 
To do this we present a generalization of Kleisli triples, which we call Kleisli 
structures, see 5.1. 

— We analyze the type of inductive definitions needed in every step of the 
formalization using initial algebras of functors. We consider two generaliza- 
tions of the usual scheme of inductive definitions: heterogeneous (see 3.1) 
and dependent inductive definitions (see Section 5.2). 

Our work seems to be closely related to recent work by Fiore, Plotkin and 
Turi [FPT99] who pursue a more abstract algebraic treatment of signatures with 
binders but do not cover the simply typed case. Higher order syntax can also be 
used to represent A-terms, i.e. in [Hof99]. 

2 Preliminaries 

As a metatheory we use an informal version of extensional Type Theory, details 
can be found in [Mar84,Hof97]. Since we do not exploit the proposition-as-types 
principle we work in a system quite close to conventional intuitionistic set theory. 
We use Set and Prop to denote the types of sets and propositions. 

Notationally, we adopt the following conventions: We write the type of im- 
plicit parameters of dependent functions as subscripts, i.e. i7„£NatFin(ri) — ^ Set 
is a type of functions whose first argument is usually omitted. The hidden argu- 
ment can be made explicit by putting it in subscript, i.e. we write e.g. fx € T[X) 
when we mean / e IIxecT{X) for some type C e Set obvious from the con- 
text. Given P, Q <E A ^ Prop we write P Q Q for Va € A.P[a) — t Q{a). Given 
a curried function / € Hi — ^ H .2 — t . . . — t we write the application to a 

sequence of arguments ui, U 2 , • • • , £*« as /(ai, U 2 , . . . , a„). The same convention 
holds for iT-types. 

The rest of this section briefly reviews Kleisli triples, initial algebras, and 
inductive datatypes and might be skipped by the experienced reader. 

2.1 Kleisli Triples 

We present monads as Kleisli triples, i.e. 

^ ft seems that the idea for this presentation goes back to Hook, but he didn’t use it 
in the paper because it cannot be implemented in SML. 
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Definition 1. A Kleisli- Triple [T,r]^ ,hmd^ ) on a category C is given hy 

— an function on the objects: Te\C\ |C| 

— a family of morphisms indexed by objects X G |C|; rjj^ G C[X,T[X)) 

— a family of functions indexed by X,Y G |C|; 

bindj_y G C{X,T{Y)) ^ C{T{X),T{Y)) 
which are subject to the following equations: 

1. hmdx^xiVx) = h\x) 

2. hmdxYif) °Vx = f ^ C{X,T{Y)). 

3. bindj_ 2 (bindf^_ 2 (/) o g) = bindf^_ 2 (/) o bindj 
where f e C{Y:r{Z)),g e C{X:T{Y)). 

Kleisli triples were introduced in [Man76], where they are also shown to be 
equivalent to the conventional presentation of monads, see [ML71], pp.l33. 



2.2 Initial Algebras 

Definition 2. For any endofunctorT : C — ^ C an initial T- algebra [p? ,It^ ) 
is given by 



— an object ^ |C| 

— a morphism cX G CflfpX)^ pX) 

— a family of functions indexed by X € \C\:lXxeC{T{X),X)^C{p^\X) 



T{p^) 



T 



such that given a T-algebra f G C[T{X),X): T(It^(/)) 



Xx{f) 



T{X) 



f 



X 



commutes and lt'x{f) is the unique morphism with this property, i.e. given any 
h G C{p^ ,X) we have h = 

pX is called, wea,kly initial ifY^[f) exists but is not necessarily unique. 



We assume that our ambient category Set is bicartesian closed, i.e. has finite 

products 1, — X — , coproducts 0, — | and function spaces — — ^ . We say 

that a variable appears strictly positive in a type, if it appears never on the left 
hand side of an arrow type, and positive, if it appears only on the left hand side 
of an even number of nested arrow types. 



2.3 Inductive Datatypes 

To model inductive types we introduce the concept of a strictly positive operator, 
i.e. a function T G Set — ^ Set which is given by a definition T[X) = <j[X) such 
that X appears strictly positive in cf{X). Here we write <j[X) for a syntactic type 
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expression in which the variable X may occur. Every strictly positive operator 
gives rise to an endofunctor on Set. 

Given a strictly positive operator T we introduce = iJ,X.T[X) € Set to 
denote the initial 1/ '-algebra. We extend strictly positive to /x-types, s.t. /x-types 
can be used to define new operators. We say that Set has all strictly positive^ 
datatypes if all initial algebras defined by a strictly positive operator exist. This 
gives rise to a A-calculus A^, e.g. see [Alt98]. 

Examples for inductive datatypes are natural numbers Nat = /xA.l + A, 
ordinal notations Ord = /xA.l X + (Nat — t X) or finitely branching trees 
Tree = /xA./xT.l + A x Y. 

Datatypes can be conveniently presented by constructors and their types, i.e. 
Nat € Set can be presented as 0 € Nat and succ € Nat — t Nat, analogously 
Ord e Set is given by 0' e Nat, succ' e Nat — ^ Nat and lim e (Nat — ^ Ord) — ^ 
Ord. Nested types like Tree correspond to simultaneous inductive definitions, 
i.e. Ihee, Eorest € Set is given by nil € Eorest, cons € Ihee — t Eorest — t Eorest, 
and span € Eorest — t Tree. 

Parametrized datatypes like lists can be defined as a function List € Set — ^ 
Set given by List(A) = /xT.l+T xA. List is homogeneous because the parameter 
X does not change in the inductive definition. 

Assuming weak initiality, the uniqueness property can be alternatively ex- 
pressed by an induction principle, i.e. given a predicate T* € /x^ — t Prop we 

have c^'(P) C P 

Dat — Ind 

Vx e .Fix) 

where (?' {F) = {c^(x) | x € P}. 

It is well known that all positive inductive types can be encoded impredica- 
tively (i.e. in System E, [GLT89]): 

/xA.T(A) = nX e Set.{T{X) ^ A) ^ A € Set 

ft"^ = AA 6 Set. A/ 6 i/’(A) — )■ X.Xx 6 /xA.4’(A). xX f 
e nx e Set.(4’(A) x) x 

J = Xxe T{/J.X.T{X)).XX e Set. A/ € T{X) X.f{T{lt^ X f) x) 
e 

Here T{—) € IIx,YeSet{X — t T) — t T{X) — t T{Y) is the morphism part 
of the functor which can be derived from the fact that it is given by a posi- 
tive definition. This encoding is weakly initial, uniqueness can be derived from 
parametricity [Wad89,AP93]. 

3 A- Terms as a Heterogeneous Datatype 

3.1 Heterogeneous Inductive Datatypes 

We interpret heterogeneous datatypes by initial algebras in the category of fami- 
lies of sets Fam. Objects in Fam are families F € Set — ^ Set and given families 

^ Strictly positive can be replaced by positive, but it is not obvious whether this ex- 
tension is still predicative. 
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F,G e |Fam| morphisms are families of functions / € II X € Set.I\X) — ^ 
G[X). A strictly positive operator on families is a function H € (Set — t Set) — t 
(Set — ^ Set) which is given by a definition H{F) = XX e Set. a{F,X) where 
F appears only strictly positive in a[I\X). Every strictly positive operator on 
families gives rise to an endofunctor on Fam. 

Given a strictly positive operator H on families there exists an initial algebra 
IjF = fiF.XX <E Set. H{F,X) <E Set — t Set. As before we define operators 
and inductive types simultaneously. The constructors and It^ now refer to 
morphisms in Fam — this can be spelt out as follows: 

e nxes.tH{fi^,X) ^ fi^{x) 

€ iTfeSet^Set(iIxeSeti^(A, A) ^ F{X)) ^ iTxeSetM^(A) ^ F{X) 



The uniqueness property of the inductively defined operator can be also 
expressed by the following induction principle: Assume a family of predicates 
F e ilxeSetM^(A) -t Prop: 



W e Set. c"(TV) C Fy 

VT e Set.Vx e {fiX.H{X)){Y).F{x) 



Het — Ind 



The A-calculus corresponding to heterogeneous polymorphic definitions has 
to our knowledge not yet been explored. 

Positive heterogeneous inductive types can be encoded impredicatively (i.e. 
in System T’“): 

= AT 6 Set.TTF 6 Set ^ Set.(77x£Set A (A, A) ^ A(A)) F{Y) 

6 Set — Set 

It^ = AA € Set ^ Set. A/ € iTxeSetid(A, A) ^ A(A).AA € Set. 

Xx 6 . x[F, /) 

II F (E Set — y Set. (iTxcSeti/'(A, A) — y A(A)) 

^ 7TxesetpA.A(A, A) ^ A(A) 
cX = XX 6 Set. Xx 6 I\jjL^ , A). AA 6 Set — Set. 

A/ € 77x£SetA(A, A) ^ F{X).f{H{lt^,F,f),x) 

G IIxeSetF , A) -7- (^X) 



3.2 Definition of Lam 

An example for a heterogeneous inductive datatype is the operator Lam G Set — t 
Set from the introduction which can be defined as 

Lam = fiF e Set ^ Set.AA G Set.A + (A(A) x A(A)) + A(Ax) 

where A^ = 1 + A with two constructors new G iTA G Set.A^ and old G 
IlxeSetX — t Ay and eliminator case G Lfx,V£SetT — t (A — t T) — t Ay — t Y . 
Clearly (_)^ gives rise to a functor. 
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As before we can present inductively defined operators by giving the con- 
structors, which in the case of Lam read as follows: 

var € UxeSetX Lam(A) 

app € i7x£SetLam(A ) — t Lam(A) — t Lam(A) 

abst e 77xeSetLam(Xi) — t Lam(X) 



4 Lam is Monadic 



To show that Lam has the structure of a Kleisli triple we first have to define 
and bind^^y. The former is simply var^ and the latter can be defined recursively 
or structural inductively which gives rise to two different constructions. 



4.1 The Recursive Construction 



In this case bind and an auxiliary map lift 

lift € nx^YeSet{X — t Lam(T)) — ^ t Lam(T^) 

bind e nx,YeSet{X — t Lam(T)) — ^ Lam(X) — t Lam(y) 

are defined by simultaneous recursion. The equations defining lift and bind re- 
cursively are given below. 



lift(/,new(A)) 
lift(/, old(x)) 
bind(/, var(x)) 
bind(/,app(s,t)) 
bind(/, abst(t)) 



var(new(T)) 
bind(var o old, f{x)) 

app(bind(/, s), bind(/, t)) 
abst(bind(lift(/), t)) 



We must first prove that bind is terminating. 

Definition 3. Let / € A — ^ Lam(i?) for arbitrary A,B £ Set then let isVar(/) 
3h : A ^ B . f = var^ o h and 



V 




0 if isVar(/) 

1 otherwise 



Now we are in a position to define a termination order for bind. For any 
recursive call bind(/',T) inside of bind(/, t) we must have (/^T) <b (/N)- To 
that end we define 



if', t') <b (/, t) O v{f) < v{f) V {v{f) = v{f) A t <s t') 



where <s is the structural order on terms. As <b is the lexicographic order on 
two well-founded orders we immediately get the following observation. 
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Proposition 1. The order <(, is well-founded. 

For the termination of bind the fact below is important. 

Proposition 2. For any f of appropriate type it holds that r;(lift(/)) < t'(/). 

Proof. Assume that v[f) = 0 hence / = var o h. By case analysis it is easily 
verified that lift(/) = varocase(new, oldo/r), hence t'(lift(/)) = 0. Thus, we have 
shown that r;(lift(/)) < v[f). 

Proposition 3. bind is a terminating function. 

Proof. The only difficult case is bind(/, abst(t)) = abst(bind(lift(/),t)). Since 
r;(lift(/)) < v[f) and t <g abst(t) we get that (lift(/),t) <5 (/, abst(t)). 

Condition 1. of Definition 1 holds by definition of bind. 

Proposition 4. Condition 2. of Definition 1 holds, i.e. 

yt € Lam(A ). bind(var^ ,t) = t. 

Proof. Proof by structural induction on t: The var^-case is trivial. Assume that 
t = app(a, b) and bind(var^ ,a)=a and bind(var^ ,b) = b. Thus we obtain 

bind(var^ , app(a fe)) = app(bind(var^ , a), bind(var^ , fe)) = app(a, fe). 

Finally, assume that t = abst(s) and that bind(varx^, s) = s. Then 

bind(varx, abst(s)) = abst(bind(lift(varx), s)) = abst(bind(varx^ , s)) 

= abst(s) = t by induction hypothesis. 

Proposition 5. Condition 3. of Definition 1 holds: 

yf e A ^ Lam{B).yg G ^ Lam(C').bind((jr) obind(/) = bind(bind((7) of) 

Proof. Using extensionality and well-founded induction this amounts to prove 
three cases: The var and the app-cases are again easy. We concentrate on the 
abst-case. 

(bind(gr) obind(/)) (abst(t)) = bind((7, bind(/, abst(t))) 

= bind((7,abst(bind(lift(/),t))) 

= abst (bind( lift ( (/) , bind (lift ( /) , t) ) ) 

= abst(bind(lift((7) o bind(lift(/)), t)) (ind.hyp.) 
= abst(bind(bind(lift((7) o lift(/)), t)). 

On the other hand bind(bind((7) o/, abst(t)) = abst(bind(lift(bind((;) o/),t)) 
such that it remains to show 

lift(bind((7) o /) = bind(lift((7)) o lift(/) 

which is proved by extensionality and case analysis on the argument. First if the 
argument is a “new” variable then by definition of lift and bind: 

bind(lift((7) o lift(/), new(A)) = lift(bind((;) o /, new(A)) 

In the other case we first distinguish whether isVar(/) holds or not: 
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1. Case: isVar(/): 

Then there is an h <E A ^ B such that / = varj^ o h. 

lift(bind((7) o (var^ o h)) o old^ 

= lift((7 o h) o oWa (Def. bind) 

= bmd(var£^ o old^) o g o h (Def. lift) 

= lift((7) oolds o h (Def. bind) 

= bind(lift((7)) o varj^^ o oldj^ o h (Def. bind reverse) 

= bind(lift((7)) o bind(var£^ o old^) o var^ o h (Def. bind reverse) 

= bind(lift((7)) o lift(varj^ oh) o old^ (Def. lift reverse) 

2. Case: -iisVar(/): 

lift(bind((7) o /) o old = bind(vara^ o olda) o bind((;) o / (*) 

= bind ( lift ((/)) obind(varj^ ooldj^) o / 

= bind ( lift (gr)) o lift(/) o old^ 

For (=i<) it remains to show that 

bind(varcr^ o older) o bind((jr) = bind ( lift (gr)) o bind(var£^ o old^) 
which is proved below 

bind(varcr^ o older) o bind((jr) 

= bind(bind(varer^ colder) o g) (ind.hyp.) 

= bind(lift((7) oold^) 

= bind(bind(lift((7)) ovarj^^ ooldj^) (Def. bind & ext.) 

= bind(lift((7)) o bind(var£^ oold^) (ind.hyp.) 

The induction hypothesis is used three times. As we do not use structural in- 
duction we must give a termination order <' such that when proving 

(bind((;) o bind(/))(t) = bind(bind((7) o f ,t) 

we use the induction hypothesis 

(bind((jr') o bind(/'))(T) = bind(bind((7') o f',t') 

only if {f',g',t') <' {f,g,t) for appropriate well-founded order <. We define 
this order as follows 

{f\g'A') <' {f,gA) ^ if = f hg = g' At' <s t)v{v{f')+v{g') < v{f) + v{g)) . 

For the first application of the hypotheses the condition (/, g, t) <' (/, g, abst(t)) 
holds by the structural order on the last argument. For the second we have to 
show (gr,varcr^ colder, s) <' {f,g, s) in case -iisVar(/) holds. As isVar(varcr^ ok) 
holds for any k ,0 = v[\aTc^ colder) < v[f) = 1, hence v[g) + w(varer^ colder) < 
v[f) + v[g). The proof of the third case, (varer^ c older, lift (gr), s) <' {f,g,s), 
under the assumption -iisVar(/), is similar. 
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One might argue that the proof is not constructive as we do a case analysis 
on the undecidable predicate isVar(/). However, we can instead introduce an 
additional precondition (isVar(/) V True) A (isVar((/) V True) where True corre- 
sponds to don’t know. We do case analysis over the disjunctions. When using a 
recursive hypothesis with / = varo/j we prove the precondition by a left injection 
(the same for g). 

We summarize the result: 

Corollriry 1. (Lam(— ), var, bind) is a Kleisli triple. 



4.2 The Construction by Structural Induction 

There is also a proof by structural induction. In this case we define bind and lift 
and also Lam(— ) the morphism part of the functor: 



Lam e IIx,YeSet{X — ^ T) — t Lam(X) — ^ Lam(y) 

lift)/, new(df )) = var(new(T)) 
lift)/, old(x)) = Lam(old, /(x)) 

Lam(/, var(x)) = var(/(x)) 

Lam(/, app(s, t)) = app(Lam(/, s), Lam(/, t)) 
Lam(/, abst(t)) = abst(Lam(/y, t)) 

bind)/, var(x)) = f[x) 

bind)/, app(s, t)) = app(bind(/, s),bind(/, t)) 
bind)/, abst(t)) = abst(bind(lift(/), t)) 



Note that bind is defined as in the recursive case, but now lift is not defined in 
terms of bind so all definitions are structural inductive. 

Additional to the propositions shown above, one also needs to show that Lam 
and (— )^ are functorial. 

Note that here Lam(/i) takes the part of bind(var o h) and thus the proof of 
(*) can be done by structural induction showing first the following two special 
instances of the third monad law: 



V/ € i? — ^ C.Mg e A — t Lam(S) . Lam(/) o bind);;) = bind(Lam(/) o g) 
\/f £ B ^ \jam[C)iig £ A ^ B. bind)/) o Lam(gr) = bind)/ o g) 

By combining those one immediately gets 

Vg £ A ^ Lam(i?). bind (lift(gr)) oLam(oldA) = Lam(olds) obind(gr) 

and from this one can easily derive (*) in the proof of Proposition 4 



lift(bind)gr) o /) = bind ( lift (gr)) o lift)/) . 




462 



T. Altenkirch and B. Reus 



The LEGO-code of the structural inductive and the general recursive proof is 
interesting in the sense that the latter version is only of half the size of the former 
- without the termination proof though. This emphasizes the significance of type 
theory with general recursion as long as termination can be ensured externally 
(possibly syntactically). 

4.3 Substitution 

Once we have bind'^®'” and we can define a substitution operator on Lam- 
terms subst G iT^£SetLam(j4^) — t Lam(j4) — t Lam(j4) as follows 

substA(t, s) = bind(case(s, varx), t) 

The weakening weak G iT^£SetLam(A) — ^ Lam(Ai) can be written 

weakx = bind(varA^ oold^) 

That substitution and weakening have the right properties follows immediately 
from the Kleisli properties for bind and var. As an example we show how to 
derive subst(weak(t), m) = t: 

subst(weak(t), m) = bind(case(M,var),bind(var oold,t)) 

= bind(bind(case(M, var), var o old), t) (3.) 

= bind(case(M,var) oold,t) (2.) 

= bind(var, t) 

= t (1.) 

The numbers refer to the equations in Definition 1. 

4.4 Implementations in Haskell and SML 

Heterogeneous datatypes like Lam can be easily implemented in a functional 
language like Haskell [HJW+92]. The implementation below by Sven Panne also 
exploits predefined typeclasses like Monad and Functor in Haskell (where >>=, 
return. Maybe, Just, Nothing, maybe denote bind, rj, (— )^, old, new, and case, 
respectively) . 

data Lam a = Var a 

I App (Lam a) (Lam a) 

I Abs (Lam (Maybe a) ) 

instance Functor Lam where 

fmap f X = X »= return . f 

instance Monad Lam where 
return = Var 
Var X »= f = f X 

App t u »= f = App (t »= f) (u »= f) 

Abs t »= f = Abs (t »= liftLam f) 
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lift : : (Monad b. Functor b) => (a -> b c) 

-> Maybe a -> b (Maybe c) 
lift f Nothing = return Nothing 
lift f (Just x) = fmap Just (f x) 

subst : : Monad a => a (Maybe b) -> a b -> a b 
subst t u = t »= maybe u return 

Although the datatype Lam is definable in ML [HMM86], lift is not ac- 
cepted by the ML type system. The reason is that lift requires polymorphic 
recursion, which is known to be undecidable. The Haskell type system is more 
flexible because it does not try to infer the type of function if it is given anyway. 
There is also an implementation of an improved ML typechecker [EL99] which 
implements polymorphic recursion via a semialgorithm for semiuniflcation. The 
corresponding ML-code reads as follows: 

datatype ’a Lift = new I old of ’a; 

datatype ’a Lam = var of ’a I app of (’a Lam)*(’a Lam) 

I abs of (’a Lift) Lam; 

fun bind f (var x) = f x 

I bind f (app (t,u)) = app (bind f t,bind f u) 

I bind f (abs t) = abs (bind (lift f) t) 
and lift f new = var new 

I lift f (old x) = lam old (f x) 
and lam f = bind (var o f); 

fun subst t u = bind (fn new => u I old x => var x) t; 
fun weak t = lam old t ; 

4.5 Implementation in LEGO 

Using the Inductive-statement such a heterogeneous datatype can be defined 
in LEGO [LP92] as follows: 

Inductive [Lambda: Set->Type] ElimOver Type 
Constructors [var : {X I Set}X->Lambda X] 

[app : {XlSet} (Lambda X)-> (Lambda X)-> (Lambda X)] 

[abst: {XlSet} (Lambda (Lift X)) -> (Lambda X)]; 

In the formalization we assume a constant ext which makes the propositional 
equality extensional and thus destroys the computational adequacy of Type The- 
ory. This problem could be overcome by moving to a Type Theory as described 
in [Alt99]. The complete LEGO code (for both variants) can be found in [RA99]. 

5 Extension to Simple Types 

5.1 Kleisli Structures 

To capture the case of typed algebras, speciflcally the simply typed A-calculus, we 
introduce a generalization of the Kleisli-triples, which we call Kleisli structure: 
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Definition 4. A Kleisli structure [I on a category C is 
given hy 

— an index set I € Set 

— families of objects indexed hy I F,G £ I ^ \C\ 

— a family of morphisms indexed by i £ F. <E C[F{i) ,G[i)) 

— a family of functions indexed hy i,j € /; 

bindj"^ € C{F{i),G{j)) ^ C{G{i),G{j)) 
which are subject to the following equations: 

1 . bind^^f = lG(i) 

bind5'^(/) o = f where f e C{F{i), G{j)). 

3- bind^ff (bindjf (/) o g) = bind^^f (/) o bind5^(ff) 

where f e C{F{j),G{k)), g e C{F{i),G{j)). 

Kleisli triples are a special case of Kleisli structures where i = |C| and F is 
the identity. Writing Cp for the category whose objects are elements of I and 

we obtain a functor T : Cp — ^ Cg which is given by 
the identity on objects and on morphisms / € Cp[i,j) by 

T{f) = hmdff{rjf’^of) 

In the special case of Kleisli triples this is the endofunctor on C given in section 
2.1. Since T is not an endofunctor in general it cannot be a monad. 

5.2 Dependent Inductive Types 

Next we model dependent inductive types, which are also called inductive fa- 
milies, by initial algebras in categories of families [Dyb94]. Given an index type 
/ G Set, we define the category of /-indexed families: objects are /’ G / — ^ Set 
and morphisms are /-indexed families of functions / G FlipiF{i) — ^ G[i). An in- 
ductively defined dependent type is an initial algebra in the category of i-indexed 
families. 

We assume that Set is also closed under /f-types, i7-types and Equality types 
Eq G I/AeSet^ — ^ A — ^ Set, where A G Set. We use the usual A-notation for i/- 
types. Elements of A’-types are given by pairs, i.e. given A G Set,il G A — ^ Set, 
if a G A and b G B{a) then (a,b) G Fa, G A.B[a). The only inhabitant of an 
equality type is refl G I/AeSet-O^c* ^ A.Eq(a, a). We assume that the equality 
type is extensional, i.e. a = b holds iff Eq^(a,fe) is inhabited. Eor details see e.g. 
[Mar84] . 

We define a strictly positive operator on families as a function G G (/ — ^ 
Set) — ^ i — ^ Set which is given by a definition G[F) = Ai G Fa[F,i) where 
F appears only strictly positive in a[F,i)- Every strictly positive operator gives 
rise to a functor on the category of /-indexed families. 
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Given a strictly positive operator G we introduce 

= fiF € / -t Set.Ai € I.G{F,i) € / -t Set 

to denote the initial G-Algebra. As before we define strictly positive operators 
simultaneously with dependent /x-types such that /x can be used in the definition 
of new operators. We spell out the types of the constructor and iterator: 

G m G I.G[jj!^ ,i) /x^(i) 

It^ G nF G / -t Set.(iTi G I.G{F, i) -t F{i)) -t iTi G /. -t F{i) 

It is convenient to present dependent inductive types by giving the con- 
structors. As an example consider the type of finite sets: Fin G Nat — t Set, 
Opin € Un G Nat. Fin(succ(rx)), succpin G iI„eNatFin(rx) — f Fin(succ(rx)). This 
definition can be mechanically translated into the strictly positive operator 



G'pin(F’ G Nat — t Set) = An G Nat. Am G Nat.Eq(succ(m), n) x (1 + Fin)). 

The type of cP is isomorphic to the product of the types of and succpin. In- 
ductive dependent types which are indexed over several sets, like iTa G A.B[a) — ^ 
Set correspond to /x-types whose index set is a A-type, i.e. Aa G A.B[a). 

Inductively defined dependent types can be encoded in the calculus of con- 
structions along the same lines as heterogeneous datatypes, see section 3.1. 

As before we can represent the uniqueness condition by an induction princi- 
ple: Assume a family of predicates F G Tli^ifjPii) — ^ Prop: 



Vi G I. c^{P{i)) C P{i) 
Vi G i.Vx G !Jp [i) .F{x) 



Dep — Ind 



In Type Theory it is standard to use a dependent iterator which captures both 
induction and iteration. 

Heterogeneous datatypes as introduced previously can be seen as an instance 
of dependent inductive types if we assume the existence of a universe U G Set 
which reflects all the type formers introduced so far. 



5.3 The Definition of Lam for Simple Types 

To extend the previous construction to simply typed A-calculus we have to use 
dependent inductive types and Kleisli structures instead of triples. Given a set of 
types Ty, the base category C is the category of Ty-indexed sets, whose objects 
are families of sets indexed by types [F G Ty — t Set) and the morphisms are 
type-indexed families of functions / G IIa-e'ryF)a) — t G[o). 

The index set / is given by the inductively defined set of contexts Gon and 
the families involved are Var(A, o) - the set of variables of type a in context F 
- and Lam(A, cr) - the set of terms of type a in context F. Var(A) and Lam(A) 
are objects in our base category for any F G Gon. 
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We shall present the types involved by giving the constructors. The set of 
types Ty and contexts Con are given by the following homogeneous definitions: 
Ty € Set, o € Ty, — — € Ty — t Ty — ^ Ty, Con € Set, empty € Con, 

cons € Ty — ^ Con — t Con. Here cons corresponds to — ^ in the untyped case. 
Var is given by a dependently typed inductive definition: 

Var G Con — t Ty — t Set 

old € ilreCon-Hr € Ty.iltjeTy Var(T, ci) — t Var(cons(r, T), cr) 
new G nr G Con.iTcj G Ty.Var(a, cons((T, T)) 

Similarly, Lam is given by a dependent inductive type: 

Lam G Con — ^ Ty — t Set 
var G i7reCon,(7eTyVar(r, cj) -t Lam(r, cr) 
app G i7r£Con,(T,T£TyLam(T, (7 =y r) — t Lam(T, cr) — t Lam(T, r) 
abst G iT/^gCon,(T,T£TyLam(cons(T, T), ct) — ^ Lam(T, cr =y r) 

As in the untyped case var is the unit rj of our Kleisli structure. We now define 
bind and lift by simultaneous recursion: 

bind G iTr,zieCon(Lr(jeTyVar(r, cr) -t Lam(Z\,cr)) -t 
iTCT£TyLam(T, ( t) — ^ Lam(Z\,(r) 
lift G iIr,zi£ConLfr G Ty(77(^£TyVar(r,o-) Lam(Z\,cr)) -t 
iT(j£Ty Var(cons(r, T), cr) — t Lam(cons(r, Z\),cr) 
lift(cr, /, new(T, cr)) = var ( new ( Z\, cr)) 
lift (cr, /, old(cr, x)) = bind) var o old(cr), /(x)) 

bind)/, var(x)) = /(x) 

bind)/, app(t, m)) = app(bind)/, t), bind(( 7 , t)) 
bind)/, abst(t)) = abst(bind(lift(cr, /),t)) 

The termination argument is the same as for the untyped case, see Section 4.f. 

5.4 Lam is a Kleisli Structure 

The verification of this fact has the same structure as the previous proof but 
with different types. Let us state the result precisely: 

Theorem 1. Lam gives rise to a Kleisli structure where 

— C is the category of Tj-indexed families. 

— I = Con 

— F = Var G Con — ^ | C | 

— G = Lam G Con — ^ |C| 

— rjr = varx G C(Var(T), Lam(T)) 

— bindx,zi G C(Var(T), Lam(Z\)) — ^ C(Lam(T), Lam(Z\)) 

Proof. See the proofs of Corollary f. 
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6 Conclusions and Open Problems 

We have discussed a uniform representation of untyped and typed A-terms based 
on Kleisli triples in type theory using heterogeneous (generalized) datatypes. All 
this can be easily implemented in Haskell and in a special version of SML and 
formally verified in LEGO. The recursive construction of the Kleisli-triple turned 
out to be much simpler than the structural inductive one which emphasizes our 
point of view that recursive proofs are often easier and should be supported by 
modern type theoretical systems. It is future work to look for a generalization 
to terms of dependently typed A-calculi, thus suggesting a new approach for the 
project of Type Theory in Type Theory (cf. [MP93]). A problem which needs 
to be tackled in this context is that the type of the substitution function in a 
dependently typed context may depend on its own graph. 

Once having finished the examination of the Lam-monad and turning atten- 
tion to other examples of heterogeneous datatypes many interesting questions 
arise that deserve further investigation. There exist practically interesting ex- 
amples that need a stronger notion of inductively defined functors, not just 
operators. Moreover, can one find a useful characterisation of “being Kleisli” for 
inductive families? A challenging open question is whether inductively defined 
operators are proof-theoretically conservative with respect to standard induc- 
tive ones, i.e. can one define more functions on natural numbers using inductive 
operators? 
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Abstract. We explain why the original proofs of P-Time completeness 
for Light Affine Logic and Light Linear Logic can not work, and we fully 
develop a working one. 

Keywords: Light Affine/Linear Logics, P-Time completeness. Program- 
ming with feasible functions. 



1 Introduction 

The aim of this work is twofold. On one side, it develops in full details the 
proof that Light Affine Logic (LAL) [1] is P-Time complete. This means showing 
that a P-Time Turing machine can be encoded as a derivation of LAL, which 
is a smart simplification of Light Linear Logic (LLL) [3]. The simplification 
consists of allowing the unconstrained use of weakening. This does not affect the 
complexity of the cut elimination for LAL. It remains bound by a polynomial 
in the dimension of the derivation. On the other side, this work introduces a 
very compact paradigmatic functional language Ala for programming with the 
derivations of LAL, which represent feasible functions. 

The development of the proof of P-Time completeness of LAL is not merely 
a programming exercise with an exotic functional notation. Many readers might 
get to this conclusion just recalling that the P-Time completeness of LAL was 
claimed to hold in [1], where the hints for proving it say to follow what Girard 
does in [3]. However, following Girard, one gets stuck. The problem is that the 
derivation of LLL, encoding the transition function of the Turing machine being 
represented, does not correspond to an iterable program, which we call tjun for 
short. Let us see why this happens. Firstly, recall that an iteration principle can 
be derived in LLL: it requires that the iterated function has a type t ^ t for 
some “light linear” type r. Secondly, the iteration principle serves for encoding 
the Turing machine: t_fun is iterated on the starting configuration at most as 
many times as the bound given by the polynomial. Assume now config be the 
name of the type for the representation in LAL of the configurations (tape, 
state, head position) of a given Turing machine. Following [3], t.fun can not be 
written with a type different from config ^ §config, where § is one of the two 
modalities “!” and “§” of LLL. So, tJun can not be argument of the iteration 
principle, and nothing works, neither in LLL, nor in LAL. 
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The solution to the problem is to change the representation of the configu- 
rations. To see how, we use an example. Suppose we want to represent a con- 
figuration C of a Turing machine such that the tape is 10* 10, the state is Sj, 
and the head is on the cell containing *. The derivation used in [3] to encode C 
corresponds to the following tuple of terms of System F [4]: 

\\ozsx.o[zx),\ozsx.s[z[ox)),statei] , (1-1) 

which becomes: 

\OZS.l{\xJO{\Z x)) Z> AOZS'.§(Ax.TS'(TZ(TO x))) ® stata (1.2) 

in the language Tla we shall introduce. The term \ozsx.o[zx) encodes the tape 
to the left of the head in reversed order, \ozsx.s[z[ox)) is the part of tape from 
the head position to its right, and statci is some encoding of the state s^. On 
the contrary, our encoding of C corresponds to the term: 

\oo' zz' ss' xx' .[o[zx) , s' [z' [o' x')) , statci] (1-3) 

of System F, which becomes: 

\00'ZZ'SS'.l[\xx'JO(}.Z x) ®\S'(}.Z'(}.0' x')) Z> stata) (1.4) 

in Tla- The difference between the two choices is evident. The old one separates 
the components of the tape in two different A-abstractions, while the new one 
keeps them merged into a single A-body. We are now in the position to have a 
good intuition about why (1.2) can not work. Firstly, recall that in LAL there 
is the §-box constructor “§” . Secondly, recall that LAL does not allow any box 
opening. We can only merge the borders of two boxes, but we can never drop one 
border completely: this is the key point for proving the complexity bound! Any 
encoding tjun of the transition function working on (1.2) needs to access the 
components of (1.2). This can be accomplished by a t_fun with a §-box which 
border must be merged with all those in (1.2). The lack of dereliction does not 
allow to get rid of such a §-box in tjun: it gets recorded in the co-domain of the 
type of t_fun, which can only be config ^ §config. This problem disappears 
if t_fun is written for manipulating (1.4). Indeed, the §-box of t.fun used to 
access the components of (1.4) is the same as the one needed to build the new 
configuration. Encoding the configurations as in (1.4) we get: 

Theorem. Any P-Time Turing machine with a polynomial p[x) of maximal non 
null degree d, bounding its computational complexity, can be encoded in a term 
M of Ala, such that M has the Linear Affine Logic formula tape ^ §'^+®tape 
as its type, for some suitable type tape. 

Contents: Section 2 introduces the language Ala- Section 3 recalls Intuitionistic 
Light Affine Logic and decorates its derivations with Ala- Section 4 defines the 
encoding of the P-Time Turing machine in the typable fragment of Ala, mainly 
focusing on the encoding of the transition function. The representation in Ala of 
all the remaining details are demanded to Appendix A, and B. Section 5 recalls 
the justification about writing this work. Section 6 concludes the work. 
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2 The Functional Language 



Synt 2 ix. Let c,h,j,o,s,x,y,w,z range over the set of linear names Tyars, and 
J,0,X,Y, Z range over the set of exponential identifiers iTvars- Let also y be 
ranging over T^ars U iT^ars- The set of patterns is generated by: 

a .. Tyars I Tyars I di(E>di 

and is ranged over by p. The set A of the functional terms is given by: 

::= U iT^ars I Ap.Af | MN \ P(g>Q | !Af | lAf | §Af | §Af 



For any pattern XiZ> . . .Z>Xn, the set FV(yi (8> . . . C>yn) of its free variables 
is {xl • • • tXu}- As usual, A binds the variables of M so that FV(Ap.M) is 
FV(Af) \ FV(^). The free variable sets of all the remaining terms are obvious 
as the constructors (8>, !,§,!, and § do not bind variables. Both ! and § build 
!-boxes and §-boxes, respectively, being M the body. The term constructor! can 
mark one of the entry points of both !-boxes and §-boxes, while § can mark only 
those of §-boxes. An idea about what we mean by “entry point” can be given 
pictorially. Assume \M be a !-box, having a single entry point with a closed N , 



plugged into it. The figure representing this situation is: 




where the dashed line stands for the ideal box containing M, ! is its exit, ! is its 
entry point, and N has its root plugged into the entry point of \M . 

The elements of A are considered up to the usual cc-equivalence. R allows 
the renaming of the bound variables of a term M . For example, !(Ax.(!r/) x) and 
!(AY.(!y) X) are each other cc-equivalent. 

The substitution of M for y in is denoted by It is the obvious 

extension to A of the capture-free substitution of terms for variables, defined for 
the A-Calculus [2] . For example, X{^[x} yields x. 

It can be observed that in the definition of the substitution the existence 
of two sets of variables is overlooked. Both the dynamics on the terms of A 
(introduced below), and the way we give a type to them with the formulas 
of Intuitionistic Light Linear Logic (introduced in Section 3) will establish a 
substitution policy about how correctly substitute terms for variables, as follows: 
the substitution will become equivalent to a partial substitution that 

behaves as usual only in one of the two, mutually exclusive, cases: 

— if X is an exponential identifier, then M must be either a !-box, or an expo- 
nential identifier; 
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— if X is a linear identifier, then M can be any term. 

Otherwise, the substitution is undefined. For example, X{^lx} will not work. 

The substitutions can be generalized to xi ' ' x-n}^ meaning the 

simultaneous replacement of Afj for Xii for every 1 < 7 < n. 

The notation M[Ni, . . . , N„] means that M may contain TVi, . . . , N„ as its 
sub-terms. In particular, !Af [!A^] means that \M may contain !A^ as its sub-term. 
Notice that, under the definition of yl, the notation !Af[!N] is ambiguous: if we 
let M be [x IX TT), then IM can be written both as !Tf [Tdf] and !Tf [TT]. 

We shall use = as syntactic coincidence. 

Finally, a relation unpack on (8>-tuples of terms is defined: 

unpack(Afi (g> ...(g) Mm, ® ® }) iff 

{ji, ■■■ On} C {1 , . . . ,m} where l<k^i<n implies jk ji , 

{fcl,... ,km-n} is {!,... ,m}\{jl,... ,jn} , 

Mj. =\Qj.\\Nj.] with Nj. ^ Z for any Z , 
if Mki is a !-box IQkillNk^], then Wj = Z for some Z , 

Pk, = Mk, . 



Dynamics. The rewriting system on T is the contextual closure of the union 
of two rewriting relations >,3 and >3 on T X T. The first is: 

(Axi®. . .lg)Xm-M)Mi<g). . .<g)Mm >/? 

(AW,,®. . • • • })%»• • 

if unpack(Mi ® . . . ® Mm, Pi ® . . . ® }) • 

The relation unpack formalizes the idea that an exponential variable can du- 
plicate both exponential variables and !-boxes, but nothing else. On the other 
hand, every term can replace a linear variable. An example of >,g-reduction is: 

{XXm.M) {\{Xy.{]{wz))y)X>{u,'z')) {XY.M^-Py-my)^^ • 

No problem arises replacing x by w'z'. The part of !(Xy.(!(wz))y) that can be 
duplicated by X, possibly occurring more than once in M, is only \[Xy.[lY)y). 
So wz is kept as a single argument after the reduction. 

The second rewriting relation merges the borders of two boxes: 

OOAf >d M with 0 e {!,§} . 

The a-equivalence must be used to avoid variable clashes when rewriting terms, 
so that linear (respectively exponential) variables rename linear (respectively 
exponential) variables. 

The reflexive, and transitive closure of on A is 
Finally, the pair [A,'^) is the functional language Ala- 
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3 Intuitionistic Light Affine Logic 

This section recalls the sequent calculus of Intuitionistic Light Affine Logic, and 
decorates its inference rules by the terms of Ala- For a correct decoration we 
need some adjustments of the logical formulas that the sequent calculus can 
derive, with respect to [ 1 ], 



Logical Formulas. Let o, (3 , 7 range over the set of linear identifiers Fvars, and 
let 6 range over the set of exponential identifiers iFvars- Let also range over 
Fvars U iF-yars- The language of the formulas of Intuitionistic Light Linear Logic 
is generated by: 



p,a,T ::= L \ E 

L ::= Fvars I I <v( 8 >t I §r I V<j.L 

E ::= iFvars I \p I V<j.L’ . 

As usual, V is a binder: the free variables of V<ji . . are FV(r) \ {<ji . . ,<j„} 

with FV(r) having the obvious inductive definition. The formulas are taken up 
to o-equivalence. The linear formulas are those generated by the grammar with 
L as its start symbol. The exponentials start from E. 

Any linear formula r not having ( 8 > as its principal operator is thought of as 
a degenerate tensor, namely a tuple with a single element. 

A basic set of assumptions is a set of pairs {xi : (Vi, . . . : cr„} such that: 

1. Every Xi is an exponential (respectively linear) term variable if, and only if, 
(jj is an exponential (respectively linear) formula; 

2. {xi : cri, . . . , : cr„} is a function with finite domain {xi, ■ ■ ■ , Xn}- Namely, 

if i j then Xi 7 ^ Xj- 

An extended set of assumptions is a basic set containing also pairs p : a, and 
satisfying some constraints. Assume p he xiX> . . .'S>Xm- Then: 

1 . a must be cJi®. . .X)o~p, with p> m] 

2 . {xi : vi, . . . ,Xm '■ Tm} is a basic set of assumptions, where every 7 is a, 
possibly degenerate, tensor of formulas in {cJi, . . . ,CTp}. 

For example, {X : S,y : /3} is a legal extended set. fX'iPx : ^, y : /?} is not. 

From now on, by “assumptions” we mean “extended set of assumptions”. 
Meta- variables for ranging over the assumptions are E and A. 

The substitutions on formulas replace linear (respectively exponential) for- 
mulas for linear (respectively exponential) variables. The simultaneous substi- 
tution of Ti . . . r„ for <ji . . . is denoted by 



Logical Rules. We recall the sequent calculus for Intuitionistic Light Affine 
Logic [1] by decorating it with the terms of Ala- The judgments have form: 
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r \- M : r, where F is a set of assumptions, M is a term of tIla, and r is a 
formula. The decorated system is: 



(Aj 



X : "T h X : T 



(Cut) 



r \- M : a A,x ■ cy \- N : T 
r,ZihA{"iJ:r 



(W) 



rh Af : r 
r, X : cr h M : r 



(C) 



r,A :!cr, T :!crh Af :r 

r,Z:\a^MClx \lr} : r 



r h M : a A, x : t h N : p 
r,A,x:a^ThN{-^lJ:p 



r, ^ : Ti®. . ,®T„ h Af : r 
r h Xp.M : Ti®. . .®r„ ^ T 



, . r,xi ■n,X2 ■T2\- M :t 

^ -T, Xi®X2 : riZiT2 M : t 



(Or) 



rhAf:r Z\h7V:o- 

r,A\~M (E>N : r®a 



...Xi:®---hAf:r 0<f<n<l 

...A, 



... Xi : ® • • • Xj : c^i • • . 1“ Af : r 0 < f < m 0 < j < n 

Tijcr h Af : p 'r M : o ^ FV(r) 

^ r,x :V?.o-h Af :p T h Af : V^.c 

Observe that (!)-rule can have at most one assumption. So the notation !Af[!fV] 
can not be anymore ambiguous. 

Observe that Ala gives a very parsimonious representation of the deriva- 
tions. The contraction is left implicit, allowing multiple occurrences of the same 
exponential variable. The pattern matching avoids the use of any fef-like binder 
that would require some commuting conversions in The representation of the 
boxes is much more compact than that used in [1,5,6], and this prevents the 
need of a lot of commuting conversions. Somebody might object about the (rel- 
ative) complexity of the >,g-red action. It is the side effect of the lack of explicit 
encoding for the (C)-rule. Assuming we have it, we could redefine t>p simply as: 

(Axi®. . .®Xm-Af)AfiO- • -®Af„ t>p Af{^Hxi ' ' ' • 

In this case, the duplication of every AT with form lPi[lQi] as many times as 
the occurrences of every Xi should be filtered by the explicit contraction. The 
aim: forbidding the duplication of any Qi different from both an exponential 
variable and a !-box. Moreover, the explicit term for contraction would induce 
commuting conversions. Hence, we would pay in term of more reductions, and 
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more constructs. So, the detailed encoding of the P-Time Turing machines in 
Appendix A, and B would get (much) more unreadable. 

The language Al^. does not encode explicitly the II order quantification. 
This only means that it has less reduction steps than Asperti’s original func- 
tional notation to speak about the derivations of LAL [1]. So, the computational 
complexity is preserved. 

Splitting the logical formulas into linear and exponential ones is a conse- 
quence of splitting the set of assumptions for the derivations. The logic, however, 
is unchanged: as soon as the term decorations are forgotten, any difference on 
the logical formulas can be forgotten as well. 

4 Encoding P-Time Turing Machines 

The encoding morally divides into two parts that we call quantitative and quali- 
tative^. The quantitative part is relative to the representation of the polynomial 
which bounds the computational complexity. The qualitative one is about en- 
coding the transition function of the machine being encoded. 

The quantitative part gets the representation of the initial tape as input. Its 
main tasks are: calculating the integer B which bounds the number of computa- 
tional steps, and using B for iterating the representation t_fun of the transition 
function. The qualitative part takes a configuration as input, namely a copy 
of the representation of a tape and a state. The qualitative part implements 
the transition function t_fun which shifts the head of the machine on the tape, 
according to the actual state and to the last character read. 

We assume to encode a machine (A, S, !F) where E is the input tape alphabet 
{0,1}, S is the set of states with cardinality m, T is the transition function 
(A U {★}) X S — ^ A X <5 X {L, R}. The symbol * stands for the “blank” cell, 
while L and R are the directions of the head moves. The head is supposed to 
write a symbol into the last read cell of the tape, before moving. Among the 
states in S, we distinguish the initial one Sq. The alphabet AU {*} is ranged 
over by (, the set of states by S', and {L, R} by /x. 

Configurations. A configuration is determined by a tape, a position of the 
head on it, and a state. The representation we choose is: 

XOO' Z Z' J J' .%{Xxx' ■ .{Xp x) . . .) <Z>Xi{- ■ ■ {x'q x') . . .)) (g> statci) , 

where Xi ^ {T0,TA,TJ} with 1 < f < p, x} G \JO' ,IZ' ,]J'} with I < j < q, being 
p,q>0. The type config of any term config like the one here above is: 



dcf 

config = \/a.\[a -o a) ^!(o; a) ^ 

\[a -o a) ^!(q; a) ^ 

\[a -o a) ^!(q; -o a) ^ 

§(q; a ^ (o;(8>Q;®state)) , 



^ Lafont suggested this terminology. 
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m 

where state = Vq;/?.((q; ^ /?)(8>. . .(8>(a ^ f3)<E)Q:) ^ is the type of the terms 
statci, each one representing an element of S, which, recall, has cardinality m. 

Example 1. The configuration where the head is on -k of the tape: 

10*10 , (4.1) 

and the actual state is S'i, is encoded with: 

XOO'ZZ'JJ'.^{{Xxx'JZ(J.O x) Z>U'(J.O'(J.Z' x'))) Z> statei) . (4.2) 

The leftmost component of the tensor in the body of the A-abstraction is the 
part of the tape to the left of the head, in reversed order. The cell read by the 
head, and the part of the tape to its right is the central component of the tensor. 

States. The term statCi is: 

XxoZ). . MXrn-lXSiV.Xi V (0<f<m— 1) . 

Every statCi is designed to extract a row from an array. The parameter Xi stands 
for the row, realized by a closed term. The parameter v stands for the variables 
that the rows of the array would share additively, if they were not closed terms. 
Namely, statCi is the projection for the representation of an additive tuple 
with Intuitionistic Light Affine Logic. We can summarize as follows the behav- 
ior of statCi on a tuple with two elements. Assume you want to encode a pair 
containing two typable terms M and N of Ala, of which only one between them 
will be used in the computation. Suppose also xi, . . . ,x„ be all the linear free 
variables common to both M and N . Then M (E> N is not a legal term. It can 
not be typed because any Xj here above occurs twice in it, every Xj requiring 
an exponential type. This contrasts with the effective use of Xj we are going to 
do: since we assume to use either M, or N , every Xj is eventually used linearly. 
Like in [1], the pair is represented as the triple: 

(Axi®. . .iZXn.M) (8> (Axi®. . .(8>x„.A) (8> (xi®. . .(8>x„) . 

The leftmost component M is extracted by means of a projection that applies 
Axi(8>. . MXn.M to xi®. . .®x„. The rightmost component N is obtained analo- 
gously, by a projection that applies Axi®. . .(8>x„.A to xi®. . .®x„. Both every 
staici, and the array, to which statCi is applied, generalize the projections, and 
the pair of the example here above. 

Starting Configurations. Any starting configuration config^ has form: 

XOO' Z Z' J JX%{{Xxx' .X (8> Xi(. . . {x'q x') . . (Z states) , 

where every y) ranges over {!0', !Z'}. Namely, the tape has only input characters 
on it, and the head is on its leftmost input symbol: the part of the tape to the 
left of the tape is empty. The term states encodes Sq. 
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4.1 The Quantitative Part 

The quantitative part calculates the bound on the length of the computation 
of the P-Time Turing machine encoded. We only state the main representa- 
tion theorem. More details are in Appendix A. Assume p[x) be the polynomial 
associated to our Turing machine, with maximal non null degree d. 
Then, p[x) can be encoded by F in Ala with type int ^ §'^+^int, where: 

int ^ a) ^ §(o; -o a) . 

Of course, p[n) = m, if, and only if, Fn evaluates to m, where, for every n > 0: 



n = XX.%XyAX{...(J.X y) ...)): int . 

^ V 

n 



4.2 The Qualitative Part 

The qualitative part implements the transition function of the P-Time Turing 
machine being encoded. 

Some preliminary definitions are worth giving: 

Xx.x : ia 
XxXAy-x : boola 
XxXAy-y : boola 

X[[[x<X)y)<X)w)<X)z)<X>xXx x' : 2 i_boola^y 
X[[[x<X)y)<X)w)<X)z)<X>xXy x' : 2 i_boola^y 
X[[[x<X)y)<X)w)<X)z)<X>x' .w x' : 2 i_boola^y 
X[[[x<X)y)<X)w)<X)z)<X>xXz x' : a.booP^y 
a —o a 
[aXAa) -o a 

((((a ^ /?)(8 >(q; ^ /?))(8>(q; ^ /?))(8>(q; ^ (3))<^a ^ f3 . 

I is the identity and 7ri,7T2 the projections on usual booleans, while 77iii,77n2, 
77 i 2, and IJ 2 are projections analogous to the states. 

Moreover, let ozj abbreviate o(E>o^(E>z(E>z^(E>jXlj', and let OZJ stand for 
— — — — — — dcf 

. The respective types are: a = ia(8>ia<8>ia<8>ia®ia<8>ia, 

— ^ dcf 

and \a = !ia(8>!ia(8>!ia(8>!ia(8>!ia(8>!ia. 

We are now ready for introducing the main terms. 



^ def 

def 
7Ti = 

def 
7T2 = 

n 

tJiii = 



n 

tJll2 = 

-r-r def 

Ui2 = 
772 ^=^ 

, def 

la = 

boola 

a_boola,y 
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The encoding of the transition function is: 



tjun 



def 



XcOO' Z Z' J J' .‘^[Xxx' .[comp OZJ) 

(§(c [[step TIiii To) [[step Tim TO') 
[[step ilii 2 ~iZ) [[step ilii 2 ~iZ') 
[[step ili 2 IJ) [[step ili 2 IJ') 
)[hase II 2 x) [base II 2 x') 



It gets a configuration c for yielding a new one. For example, substituting 
(4.2) for c, the evaluation of the whole sub-term of t_fun, which is argument 
of [comp OZJ), ends up with: 

[[n 112 ZX.Z)iZ> (Jo x)) (g> [[IIi2<E>JJ')<E>(fO'[JZ' x'))) (g> statci . (4.3) 

Namely, (4.2) iterates every step from base, both defined as: 



step = Xxy.X[uZ)v)Z)z.[xZ)y]Z)[v z) 
base = Xxy.[x(E>I)Z>y , 

and extracts the topmost symbol of both parts of the tape, together with a 
corresponding projection. The projection serves for choosing an element in a 
row of an array. In particular, Tim will always be associated to both [O and 
[OJ 77ii 2 to both [Z and [Z' , and II 12 to both [J and [J' . For a better exposition, 
call ^^tiead pair” each pair like [nii 2 Z)[Z) in (4.3) here above. 

The definition of comp is: 

comp‘= Xozj .X[[[h\(g>hJ)(g>ti)(g>[[hl(g>hl.)(g>tr))(Z>s.hl[s[table ozj)) hj ti U . 

Firstly, [comp OZj) is a A-abstraction containing the occurrences of the terms 
[0,[0' ,[Z,[Z' ,[J, and [J' among which choosing those that must be used for 
generating the new configuration. The terms [O, !0' . . . feed the transition table: 

d©f 

table = Xozj. [Xx.[[[Qo,iiE>Qo,2)Z>Qo,3)Z>Qo,4)Z>x) (g> 

[Xx.[[[Qrn-l,l<S>Qm-l,2)<S>Qm-l,3)<S>Qm-l,4)<S>x)(g>OZj . 

As said earlier, it represents an array. In our running example, the parameter 
s of [comp OZJ) is statCi. Then s[table ozj) is the row of the array. From 
this row, the left component of the head pair (i7n2®!Z) extract a term which is 
responsible of moving the head. In this case it would be Qi 2 - With the head pair 
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(iJlll tlic obtained element would be while (yIJi 2 ^U') would extract 

Qis- Finally, every Qij in table is one among the two shifting terms here below; 

leftij Xozj ,Xhititr.{ti (E>hi{xlj tr)) <8> stately 

def —*■ 

right- = Xozj .Xhititr.{Xij{hi ti) t^.) ® statel- , 

where ranges over {o', 2;', 7'}, and xlj over {o, z^j'j. Every left and right term 
describes what to do when moving the head leftward or rightward, respectively. 
Of course, the form of table must be defined to satisfy the obvious link between 
the encoding and the machine encoded. The link is: (<{',S'',/r) iff 

the term h\. [state [table ojz)) of comp '^-reduces to Q, where: if p = L, then 
Q = left[x\ state'], if /x = i?, then Q = right[yf , state'], if <{ = 1 , then = ilm, 
if ({ = 0, then h[. = II112, if C = *, then h[. = II12, staie encodes S, state' encodes 
S', if C = Ij then both y* = o and y’’ = o', if (' = 0, then both y* = 2; and 
y’’ = z' , if Cf = ★, then both y* = j and y’’ = j' . 

For those who want to check that the compulsory requirement about t_fun 
is satisfied, namely, that t_fun has an iterable type config ^ config, we give 
some hints about the intermediate typing: step : step,^ base : base„ ,g, comp : 
comp, table : tables left^j : shifty, and right : shifty, where: 



step„_,g 

base„ 

comp„ 

tablca 



def , , 

= a_bool, 

def , , 

= a_bool, 

def 



■a , (3 
■ 0.^(3 



la 

a 



^ ^a,f 3 

' *^a .,[3 



^a ,/3 



= Estate) ^ (o;(8>Q;$<>state) 



def ^ 

= a 



• roWa^- ■ .(8>rowQ.(8> a 



rowa = a ^ (((shifta(8>shifta)(8>shifta)(8>shift„)(8> a 

shift a ‘= a ^ T„ 

(7a, /3 ((a_bool«,/3<8>ia)<8>Q;) 

def 

Ta = [a ^ a) ^ a ^ a ^ ((q;(8>q;) E state) . 



It may help also saying that the projections Tim, 77n2, f?i2, are used in t_fun 
with the types a_boof5,r„ here above, because they serve as actual parameter 
for replacing h[ in comp. 



4.3 Gluing all Together 

The whole encoding of the P-Time Turing machine with polynomial p[x) of 
maximal non null degree d is a term with type tape ^ §'^+®tape, where: 

d©f 

tape = \/a.\[a -o a) ^!(o; ^ o;) ^!(o; ^ o;) ^!(o; ^ a) ^ §(o; ^ a ^ a) . 
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The general scheme defining a term representing a tape is: 



AOO'ZZ'.§(Axx'.xi(- --{Xp x)...) (g>Xi{- ■ ■ {Xq x') . . .)) , 

where \i ^ with 1 <i<p,x'j {fO'JZ'j with 1 < j < q, and p,q>0. 

Appendix B has the details about the whole encoding of the Turing machine. 
The relation between such encoding and the Turing machine is the obvious one: 
if the Turing machine yields a tape to from an input tape ti on the alphabet 
{0, 1}, the same relation holds between the encodings of ti and to thanks to the 
term in Appendix B. Its main tasks are: feeding the quantitative part with an 
integer, obtained from the initial tape, and feeding the qualitative part by the 
starting configuration, namely the initial tape and the initial state. 

5 On the Obvious Encoding 

In [1], P-Time completeness of LAL is claimed to hold by saying that it can be 
proved following [3], where the proof of P-Time completeness for Light Linear 
Logic is sketched. The proof in [3] is developed on the obvious representation 
of configurations. For example, the tape 10* 10 with the head reading * in the 
state Si, would be: 

XOZJ.^(\xAZ(JO x)) (8> XOZJ.^(\xJj(JO(JZ x))) (g> statsi : config^ , (5.1) 
where statci encodes Si, and: 

r» f f f f 

conhg = tape (8> tape (8> state 

def 

tape' = NaXia. ^ a) ^!(o; ^ a) ^!(o; ^ a) ^ §(o; ^ a) , 
for some suitable type state'. 

Any transition function tjun working on (5.1) needs to access the bodies of 
the §-boxes of the A-abstractions for producing a new configuration. This can be 
done only by endowing t_fun' with a §-box as well, which border can be merged 
with those in (5.1). Recall, indeed, that the boxes can not be opened in LAL, 
but only merged. So, the use of a §-box in tjun gets recorded in the co-domain 
of its type: config' ^ §config'. This type does not allow to iterate tjun'. As 
can be seen in the definition of iter in Appendix A, the iteration works only on 
terms with coinciding domain and co-domains. Since the encoding of the P-Time 
Turing machines in LLL rests on iterating t_fun! , we get stuck. 

Our, more “parallel” , representation of the configurations allows to get an 
encoding which of the P-TIME Turing machines in LAL. The differences between 
the sequent calculi of LLL and LAL make Ala useless for verifying directly with 
it that our encoding works on LLL as well. However, we do not see any reasons 
why the principles our encoding rests on could not be used successfully on LLL. 
The interested reader could try to follow our encoding idea on a Proof Nets 
language for LLL. The Proof Nets would avoid useless syntax overheads, caused 
by the high number of rules defining LLL. 
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6 Conclusions 

This paper has been written as consequence of an attempt to study Light Affine 
Logic as a programming language, using Curry-Howard principles. The final aim 
is writing a compact language for Light Affine Logic, which is automatically 
typable, and P-Time complete. The study of the completeness led to the need 
of writing down all the details about the encoding of a P-Time Turing machine 
in Light Affine Logic, following [3]. Something went wrong, so the proof about 
P-Time completeness of Light Affine Logic was still waiting to be worked out 
correctly. This is what we have just done, also contributing with introducing a 
very compact language to program feasible functions. 
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A Details on the Quantitative Part 



Let denote tA 9. . SE^r, with n elements, by r„. Let p{x) be the polynomial 
describing the computational bound of the Turing machine being encoded. Let 
also K = The term P encoding p[x) is defined as: 



Ex.^{{\yoC. . .CyoC. ..Cyl-iC. ..»yoC. . .Cyt-i- 
'^{coerc_int^’° §^((®oa;°))j,o) 



G§*^+^(coerc_mt’’ {{o-ix'^))yi) 



C^^^^{coerc_int°’° (fa vx^'fjyv) 
) ^(tupleCnt,. x)) : int ^ 
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where: 

{{ax°))y coercJ,nt°’° H : §int 

{{ax”))y multJnt” {iT^^) {coercjnt”^^’^ a) : §"^^int («■>!) , 

being r/i . . .r/„ the free variables of ((ax"))y, and: 

{x°) 1 -^ coercA'nf'’^ xo : §int 

(a;") 1 -^ multJnt^ {x^~^) {coercJ,nf^~^’^ x„) : §"^^int («■ > 1) 

being xi . . . x„ the free variables of (x"), and: 

(4 p-p 

0 = AX.§(Ax.x) : int 

r] pp 

1 = AX.§(Ax.!2f x) : int 

(2J0P 

sum,J,ntn = Axi®. . .®x„2f.§(Aj/.§(xi 2f)(. . . (§(x„ X) j/) . . . )) : int„ — o int 

^0p 

sumXnt^ = \x]_® . . .®Xn.'^ {suw,J,ntn : (§^int)„ — o §^int 

def — , , 

succXnt = \x.sumXnt 2 1 <E)x : int — o int 

succjnf''^ "M \x.%^{}.‘^{succjnt F(f x))) : f I'^int ^ f I'^int 

■^.9 dg ^ 

coerc_ intP’‘‘ Ax.§(§(x lsucc_ ivF’^) TF’^) : int ^ f +b«int 

(4 Pp 

iter = AxXi/.§(§(x X) §y) : int ^!(r ^ r) ^ §r ^ §t 
iter^ \xyz.F {iter Fv W F) : §^int ^ ^ t) ^ ^ 

multXnt = XxX.iter x \{\y.sumj,nt IX y) : int — o!int — o §int 
multJnF 'M Xxy.F {mMltJnt ifx y) : §^int ^ §^!int ^ §^^^int 

(2J0P 

tupleXnt^ = Ax.§(§(x !(Axi®. . .<X}x„.succ_int xi®. . ,X> succAnt x„)) On) : 

int ^ §(int„) 



where p,q> 0 and n > 1 , 



B Details on Gluing all Together: The Turing Machine 

Let P : int ^ §'^+^int be the term encoding the quantitative polynomial of 
degree d, and T the term encoding the table which the transition function P 
rests on. The term encoding the Turing machine is defined as: 

Xt.config2tape^^^ {{>{{Xti(X>t2-iter^^^ {F{tape2int ti)) 

if+Pr) 

[starting ^config^^^ ^2) 

) ^[dblAape t))) : tape — o §'^+®tape 
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where, for every p,q> 0 and n> 1: 



empty-tape = XOCy Z Z' .'^{Xxx ,x(}px') 
succ-tape , XtOO' ZZX\(XxxX{XwZw XxwZ^.xw 



(§(f O (Jf Z Z') X x'\ 





) : tape - 


-o tape 




def 




succ-tape^ 


= succ-tape^ j : tape — < 


> tape 




def 




succ-tape^, 


= succ-tapej : tape — 


■o tape 


dbl-succ-tape^,, 


def , 

= XxZy .[succ-tape^,, x^ 


)(Z)[succ. 



Sx" y) '■ tape2 ^ tape2 

merge-tape XwZz.XOO' ZZ' .'^{^Xxx' .'K \(^{w O O' Z Z') x I) 

®7T2(§(« O o' Z Z') I x') 

) : tape2 — o tape 


merge-tape^ = XxZy.^^ [merge -tape x y) : (§^tape)2 — o §^tape 

dbl-merge-tape'M Xwj(E)Wi(E>zj(E)Zi .[merge-tape w\ zj;)(Z [merge-tape wf zj) : 

tape^ — o tap02 

d©f 

empty -tape^ = empty -tape : §^tape 

succ-tape^ = Xt.[Z [succ-tape^ §^t) : §^tape — o §^tape 
d©f — 

coerc-tape^ = Xt.[>[merge-tape^ (§(f \[succ-tape^o) \[succ-tape^,) 

\[succ-tape^^) \[succ-tape^^,) 

) empty-tape^ empty-tape^)) : tape — o §^^^tape 

config2tape XcOO' Z Z' .^[Xxx' .[XyZwZ z.y(Zw)[^[c O O' Z Z') x x')) : 

config — o tape 

(nj 0 £ 

config 2 tape^ = Xc.[^ [config 2 tape §^c) : §^config — o §^tape 

(4 0 -p 

flatteri-tape = Aa;® j/.AX.§(A«.7Ti(§(a; XXX X)[TT 2 [^[y XXX X) I z)) I)) : 



tape2int = Xt.flatten-tape (§(t \succ-tapeQ \succ-tapeQ 

\succ-tapeQ, \succ-tapeQ, 

) empty-tape empty-tape) : tape ■ 



tap 02 



int 



int 



starting -Config^ Xt.[)^^^ [XOO' Z Z' ,[)[Xxx' ,[)[[)^^^ [coerc-tape^ t) O O' Z Z') x x 

Zstateo)) '■ tape — o §^^^config 

^ 0 ^ 

dbl-tape = Xt.[)[dbl-merge-tape[[)[t Idblsucc-tapeQ \d,blsucc-ta,peQ, 

! dbl-succ-tape^ ! dblsucc-tape^, 

) empty-tape2 empty-tape2 

)) : tape — o §(tape® config) 

with X G {O, Z} O x' = i, X = i O x' G {O', Z'}, and x" € {O, O', Z, Z'}. 
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Abstract. For every hierarchical system of equations S over some com- 
plete and distributive lattice we construct an equivalent system with the 
same set of variables which additionally is guarded. The price to be paid is 
that the resulting right-hand sides may grow exponentially. We therefore 
present methods how the exponential blow-up can be avoided. Especi- 
ally, the loop structure of the variable dependence graph is taken into 
account. Also we prove that size 0(m- jVI) suffices whenever S originates 
from a hxpoint expression where the nesting-depth of hxpoints is at most 
m. Finally, we sketch an application to regular tree pattern-matching. 



Keywords: guardedness, /x-calculus, distributive lattices, loop-connectedness. 

1 Introduction 

Since Kozen’s seminal paper [13] in 1983, the modal /r-calculus has been widely 
used for specification and verification of properties of concurrent processes. Fix- 
point expressions or (slightly more convenient) hierarchical systems of equations, 
however, are considered to be difficult to understand - especially in presence of 
deep nesting of alternating fixpoints. Therefore, various kinds of normal forms 
have been suggested in order to ease both theoretical and practical manipu- 
lations. One useful additional property of fixpoint expressions (or hierarchical 
systems of equations) is guardedness. 

A variable x is guarded in the expression e if x occurs only nested inside some 
application, i.e., as f[...x...) for some operator /. A hierarchical system of 
equations is called guarded if it does not contain a cyclic variable dependence 
through unguarded variable occurrences only. Hierarchical systems of Boolean 
equations only use “U” (least upper bound) and “El” (greatest lower bound) 
in right-hand sides and thus no operators at all. Therefore, all occurrences of 
variables in right-hand sides are unguarded. Consequently, finding equivalent 
guarded systems means removing cyclic variable dependences completely. Such 
acyclic systems can be solved in polynomial (even linear) time. Therefore, finding 
equivalent guarded systems in general cannot be easier than computing solutions 
of hierarchical systems of Boolean equations. 

For hierarchical systems of equations over more complicated complete lattices 
and with non-empty sets of operators, a guardedness transformation need not 
necessarily break all cyclic variable dependences. It does, however, eliminate 
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“useless” fixpoint iterations, namely those which can be removed without tou- 
ching operator applications. This preprocessing has been used for simplifying 
proofs about the /x-calculus [20], in automata constructions [10,16] or construc- 
tions of direct proofs of satisfiability [9,11,17]. 

Notions related to guardedness have been considered in various contexts. In 
recursive process definitions, guardedness is commonly assumed [1]. Guardedness 
plays an important role in universal algebra for polynomial equations to have 
unique solutions [5]. Uniqueness of solutions is also central when equations are 
to be solved over metric spaces [2] (see also section 7). 

It is well-known that hierarchical systems of equations can always be trans- 
formed into equivalent guarded ones (see, e.g., [20,11]) - if not even part of the 
“folklore” . Here, however, we are interested in designing efficient transformation 
techniques which minimize the encountered overhead. We start our considera- 
tions by separating the transformation into two stages (section 3). The first 
stage performs a (appropriately generalized) control-flow analysis to determine 
which subexpressions may arrive at which unguarded variables. In the second 
phase then the actual transformation is performed. What is important here is 
that each phase operates on the original system - simultaneously on all levels 
of fixpoints. By this trick, we avoid a potential explosion in size through repea- 
tedly feeding partially transformed systems (possibly of increased sizes) into the 
same algorithm (e.g., as in [20,11]). While the number of variables of the system 
produced by the two-stage transformation has not increased, sizes of right-hand 
sides may have increased exponentially. In order to reduce this extra space, we 
take into account, how the new right-hand sides are constructed through fixpoint 
iteration. For arbitrary hierarchical systems, we obtain a new upper bound which 
is related to structural properties of the variable dependence graph (section 5). 
In the worst case, the blow-up in size of the system still can only be bounded 
to be exponential in the alternation- depth of the original system. Therefore we 
exhibit useful special classes where just a small polynomial increase suffices - 
independent of the alternation-depth (section 6). In case of equations over lan- 
guages of finite trees, we finally show how guardedness transformations can be 
used to replace greatest fixpoints by least ones and thus to remove alternation 
of fixpoints altogether. This observation can be exploited for compiling powerful 
tree patterns to finite tree automata (section 7). 

2 Hierarchical Systems of Equations 

Instead of formally introducing fixpoint expressions, let us immediately consider 
the slightly more flexible concept of hierarchical systems of equations. Assume 
we are given a complete lattice D which, as such, is equipped with the binary 
operations “U” (least upper bound) and “□” (greatest lower bound). Let A 
denote a set of further operator symbols where each / € A denotes a monotonic 
function [/] : D* — t D for some A; > 1. Operator symbols from A denote “real” 
operations whose applications will not be touched by our transformations. 

As right-hand sides of equations we allow expressions built up from formal varia- 
bles from some set Z and constants by application of operators from A together 
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with “U” and “FI”. The set of all these expressions is denoted by Every 

expression e e £ 2 J,b(^) denotes a function [e] : (Z — ^ D) — t D. This function is 
monotonic, since “U” , and all operators from U are monotonic. 

A hierarchical system of equations with free variables from JF is a pair (S', Ff). 
S is the finite basic set of equations z = Cz,z ^ Z, where for every z, is 
an expression in £e,b{Z U JF), and Ff is a hierarchy on Z. A hierarchy consists 
of a sequence TL = {{Zj., Xj.) , . . . , {Zi, Xi)) of mutually disjoint sets Zj. where 
Z = Z^yj ■ ■ .yj Z\ together with qualifications Xk G {/x, ix}. Zk is also called the 
fc-th block of variables, whereas length r of the hierarchy is called the alternation- 
depth of S . Intuitively, hierarchy Ff on S' describes the nesting of scopes of 
variables within which fixpoint iteration is performed: iteration on variables from 
the same block is performed jointly whereas iteration on variables from block Zi 
should be thought of as nested inside the iteration on variables from Zj,i < j. 

Example 1 . Assume we are given the fixpoint expression 

/iXi.aU {ixx2-f {xi,X2) U (xi n [vxs.gxs U {x2 FI X3)))) 

A representation of this expression by a hierarchical system is obtained by intro- 
ducing an extra equation for each fixpoint subexpression. For our example this 
gives a set S consisting of: 

xi = aUx2 X3 = g X3 Li (x2 FI X3) 

X2 = f (xi,X2) U (xi FIX3) 

Hierarchy FF is obtained by dividing the set of fixpoint variables into blocks of 
fixpoints of the same kind for which fixpoint iteration can be performed jointly. 
For our example expression, we choose FF = ((22,/x), (2i,z/)) where Zi = { 2 ^ 3 } 
and Z 2 = {xi,X 2 }. □ 

Usually, if FF is understood, we write S for the hierarchical system. 

Fix some 1 < A; < r, and let Z^^^ = Zk yj ... yj Zi. Then the fc-th subsystem Sk 
of S is given by the set of equations z = e^^, z <E Z^^\ together with hierarchy 
T-ik = {{2ik, ^k), . . . , {Zi, Ai)). Note that the free variables of Sk are contained 
m EU ZrU . . .U Zk+i. 

An environment p for S' is a mapping p : iF — t D. 'Fhe semantics [SJ p of S in 
D relative to environment p is a mapping 2 — t D defined by induction on the 
alternation-depth r. For r > 1, consider the monotonic function G : [Zr — t D) — ^ 
t D given by G* ct 2 ; = [e^] (p + + [Sr-i] (p + cr)) where S'^-i is empty in 

case r = 1. Note that we use the “+”-operator to combine two functions with 
disjoint domains into one. In case Zr is qualified as p, let o denote the least 
fixpoint of G. Otherwise, let a denote the greatest fixpoint of G. Then |S]| p is 
defined by [S']] p z = o z \i z £ Zr and [S] p z = [S',._i] (p + d) 2 ; otherwise. 

The set FF[e] of unguarded, variables occurring in e is inductively defined by: 

W[d] =0 (d € D) 

FF| 2 ;] = {z} (z a variable) 

FF[/(ei,...,e,)l=0 (/ € U) 

W[eiUe2l =W[eilUW[e2l 

W[eine2l =W[ei]UW[e2l 

Sequence 2 : 1 ,..., 2 ;™ of variables of S' is called unguarded, cycle if Zm occurs 
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unguarded in and likewise, for j = 2, ... ,m, Zj_i occurs unguarded in e^.. 
System S is guarded, iff S does not contain unguarded cycles. 

Example 2. Consider the hierarchical system of equations from ex. 1. It contains, 
e.g., the unguarded cycle X 2 ,xs. □ 

When analyzing guardedness of hierarchical systems, we find it useful to assume 
w.l.o.g. that right-hand sides e of variables are of one of the following forms: 

1. e is a Boolean expression, i.e., in ^^0 |x,T}[^ U iC]; or 

2. e is an operator application / (ei, . . . , Ck), > 1, or a constant from D. 
This special form can always be achieved, possibly by introduction of extra 
auxiliary variables for constants and operator applications. 

Example 3. Consider our hierarchical system from ex. 1. We introduce extra 
variables yi,y 2 ,U 3 for expressions a,/(xi,X 2 ) and gx^, respectively, and obtain 
the equations: 

Xi=yiUX 2 yi = a X3 = J/3 U (X 2 nxs) y3=gX3 

= J/2 U (xi nX3) y2 = f{xi,X2) 

The new hierarchy is obtained by adding the new variables to the corresponding 
blocks: {{{xi,X2,yi,y2},g),{{x3,y3},^’))- □ 

3 The Basic Transformation 

A lattice D is called distributive iff it has a least element T, a greatest element T 
and the equations an(feUc) = (anfe)U(anc) and aU(fenc) = (aUfe)n(aUc) hold 
for all a, 6, c G D. Let B = {T C T} denote the Boolean lattice, and for (finite) 
set y, B[T] denote the complete lattice consisting of all monotonic functions 
(T — t B) — t B. Facts 1 and 2 are well-known: 

Fact 1 Every element 4> G B[T]; can be uniquely represented by its minimal 
disjunctive normal form, i.e., <p = mi U ... U mu where m-i = I lyeViJ/ for 
pairwise incomparable subsets Yi Q y. □ 

Fact 2 Every mapping p : T D, D a distributive lattice, can be uniquely 
extended to a mapping p* : B[T] — t D with the following properties: 

• P*y = py for every y & y; • p* {fi U (P 2 ) = C* 0i U p* <p 2 i 

• p* T = T and p* T = T; • p* [fi 4>2) = P* Y\ P* ^2 ■ 

A mapping with the properties listed in fact 2 is also called morphism (between 
distributive lattices). Fact 2 states that B[T] is the free distributive lattice (ge- 
nerated from T)- Because of facts 1 and 2, we no longer distinguish between 
elements in B[T] and expressions built up from constants T,T and variables in 
y by means of applications of U and □. We obtain: 

Proposition 3. Assume S is a hierarchical system of equations x = e^, x G 
X , over distributive lattice D with free variables from T where each right-hand 
.side is contained in B[A U T\. Then for every environment p : JF — ^ D, 
P* ([‘5’! x) = [S']] p x for a,ll x <E X . □ 




488 



H. Seidl and A. Neumann 



Here, the semantics of S on the left-hand side in the equation is computed over 
B[JF] w.r.t. the empty environment whereas on the right-hand side it is computed 
over D where the values for the free variables are taken from p. 

Assume S' is a hierarchical system of equations 2; = e^, 2; € 2, of alternation 
depth r where the hierarchy of S is given by H = ((2^, A^), . . . , ( 2 i, Ai)). Let X 
and y denote the sets of variables with Boolean expressions as right-hand sides, 
and of variables with constants or operator applications as right-hand sides, 
respectively, and Zk f\ X = Xk- Moreover, let S denote the subsystem of S for 
variables in X. Thus, all the variables in y are free variables of S. 

For A; = 1 , . . . , r, let JT denote the set of free variables of subsystem Sj.- Then 
construct Da; = B[TU JT], and \etdk : (TfcU. . .UTi) — t denote the semantics 

of Sk over relative to the empty environment. We define a new hierarchical 
system S' with the same hierarchy as S but the following set of equations: 
x = &kX, X e Xk,l <k <r y =ey,y&y 
In S', variables from Xj may occur unguarded only in right-hand sides of varia- 
bles from Xi where i < j. Thus, system S' is guarded. 

Example 4. Consider the hierarchical system from ex. 3. The set of free variables 
is empty whereas the set y of variables for operator applications and constants 
is given by T = {yi,y2,yz}- We obtain: 

CT2Xi=J/iUj/ 2 d-2 X2 = J/2 LI (j/ 1 n J/3) di X3 = J/3 U X2 
Consequently, the newly constructed hierarchical system is constituted by the 
same hierarchy T-L = {{{xl,X2,yl,y2}^ ft), ({a^3, J/3}, v)) together with the equati- 
ons: 

a^i=J/iUj/2 J/i = a X3 = j/3 UX 2 yz^gx^ 

= J/2 U (j/i nj/3) J/2 = /(xi,X2) 

We claim: 

Theorem 1. Assume S is a hierarchical system of equations over a complete 
and distributive lattice. Then S and the guarded, system S' are equivalent. 

Proof. The following two observations can be deduced from prop. 3: 

Fact 4 A ssume I < k <r. 

1 . Then <Jk-i P the unique solution over D/;_i of the set of equations 

X = OjX X £ Xj , j < k. 

2 . Assume the k-th block of S is qualified p (v). Then dj. is the least (greatest) 
solution over D/; of the set of equations 

X = Cx, X £ Xk X = dk -1 X , X £ Xj , j < k □ 

With fact 4 we prove for A; = 1 , . . . , r all p and z £ Zk that pz = p z. 
Assume this assertion holds for Sk-\ (if it exists). We successively will transform 
Sk into the system S'),. Each of the applied steps will preserve the semantics for 
the variables in Zk- 

Step 0: We replace the subsystem Sk-i of Sk (if existing) with Subsystems 

Sk-i and are equivalent by induction hypothesis. In the following, we only 
transform the A;-th block and within this block only the equations with left-hand 
sides not from y . Let us call this the Boolean part of the A;-th block. 
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Step 1 : We add a fresh variable x' to (the Boolean part of) the fc-th block for 
every x € Xjj j < k, together with the equation x' = &j x. Thus, the new right- 
hand side of variable x' is a copy of the right-hand side of the corresponding 
variable x. Therefore they evaluate to the same values, and we can replace every 
occurrence of x G < k, in the Boolean part of the A;-th block with the 

corresponding variable x' . 

Step 2: By Bekic principle [ 3 , 16 ], the resulting fc-th block is equivalent to a 
block where the right-hand sides of the x' equal the (unique) solution \x' \ x G 
Xj.d < A;} — ^ of the corresponding subset of equations. By fact 4 . 1 , this 

solution is given by x' ^ Uk-ix. Therefore in step 2 , we replace the right-hand 
side of x',x G Xj,j < k, with ak-ix. 

Step 3: In the Boolean part of the fc-th block, we now rename every variable 
X £ Xk with corresponding x', and add new equations x = x',x G 
Thus, step 3 consists in splitting of the fixpoint computation for the A;-th block 
into an inner iteration on the primed variables x' within the Boolean part, ne- 
sted inside an iteration on the unprimed variables x. This again preserves the 
semantics (see, e.g., [ 3 , 16 ]). 

Step 4 : Assume w.l.o.g. that block k in S-^ is qualified /x. By fact 4 . 2 , the least 
solution of the set of equations over with left-hand sides x',x G Xj,j < k, is 
given by x' i— ^ akX. Therefore again by Bekic principle, we now can replace the 
right-hand sides of all x' with Ok x. 

Example 5 . Consider the hierarchical system of equations from ex. 3 and let 
k = 2. Then S[ is given by the equations 

X 3 = J/ 3 UX 2 V 3 = 9 X 3 

together with the hierarchy (({x3, j/3}, z/)). This part of the system will remain 
unchanged throughout the construction. The only block of equations which we 
are going to modify is the fc-th (i.e., second) block. Initially, it is given by: 

Xi = J/I UX2 yi = a 

= J/2 U (xi nX3) y2 = I{xi,X2) 

Step 1 adds variable X3 with right-hand side di X3 = j/3 U X2 and results in the 
set of equations: 

Xi = J/i U X2 x], = J/3 U X2 yi = a 

a^2 = J/2 U (xi nxg) y2 = f{xi,X2) 

Notice that the reference to X3 in the equation for X2 has been replaced by a 
reference to the new variable X3. Step 2 is vacuous in this example. Step 3 then 
renames x/ with x( (I = 1 , 2 ) and then adds the equations x/ = x(. It results in 
the set of equations: 

Xi = x[ x[ = yiUx'2 X3 = J/3 U X2 yi = a 

X2 = x'2 x'2 = y2 u (x{ n x'g) y2 = f(xi,X2) 

The least solution of the equations for x),X2,x[; over D2 = ®[{j/ij J/2j J/s}] is 
dx{=yiUp2 dx^ = j/2 U (j/i nj/3) dx[; = j/3Uj/2 
which precisely equals x( 1—^ d2X/. Thus, d gives the new right-hand sides for 
the x( in step 4 . □ 

After step 4 , the primed variables do no longer occur in right-hand sides - besides 
in the equations x = x' . Therefore, we can replace these equations hj x = Ok x 
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and subsequently remove all variables x' together with their defining equations. 
The resulting system precisely equals and we are done. □ 

Our construction of an equivalent guarded system is an improvement of the 
“classical” folklore method for fixpoint expressions sketched in [20,17,11] which 
introduces a huge (even doubly exponential) increase in size. Note, however, that 
for the case of fixpoint expressions, our methods will allow us even to construct 
an equivalent guarded hierarchical system of polynomial size (see section 6). 
The present transformation prepares the ground for such further improvements 
in the construction since it allows to clearly separate the transformation into two 
stages. The first stage computes the mappings dj., k = 1, . . . ,r, whereas only 
the second stage ultimately transforms S. 

Let n < rn < \S\ denote the numbers of elements in PC and in X y T , 
respectively. Then each value in D/; can be represented by an expression of size 
0{m ■ 2™). The overall size of the transformed system therefore is bounded by 
0{\S\yn-m- 2™). In order to improve on the (potentially) exponential space to 
store the expressions aj. x we take into account how the aj. can be constructed. 



4 Blind Algorithms 

Assume we are given a (finite) set S of equations over some lattice D without free 
variables and cyclic variable dependences. Then S has a unique solution o which, 
given a suitable topological ordering < . . . < of the variables, can be com- 
puted by successively evaluating the right-hand sides for Xj, i = 1, . . . , n. In this 
sense, we can view S' as a straight-line program computing variable assignment 
(j. Therefore, our goal can be rephrased to design efficient straight-line programs 
that compute variable assignments aj.. In contrast to straight-line programs, we 
will allow redefinitions of variables and use programming-language constructs as 
for-loops or switch-statements whose conditions, however, may not depend on 
D-valued variables. Formally, this can be assured by viewing the lattice elements 
as abstract values for which there are assignments and operations U and □, but 
which are lacking any kind of comparison. Let us call such algorithms Mind. 
Every terminating blind algorithm can be unrolled into a finite sequence of 
variable assignments. By possibly introducing auxiliary variables, we can always 
bring this sequence into single-assignment form. Therefore, we obtain: 

Fact 5 For every terminating Mind algorithm computing cr : T — ^ D, there is a 
straight-line program computing a variable assignment a' which uses the same 
number of operations in D such tha,t a x = a' x for all x <E X . □ 

We conclude that time complexity of blind algorithms for computing Uk, k = 
1, . . . , r, directly can be translated into the output space of corresponding guar- 
dedness transformations. In the following, we therefore will design efficient blind 
algorithms for computing the semantics of hierarchical equation systems over 
distributive complete lattices with 27 = 0, i.e., operators only from 




On Guarding Nested Fixpoints 



491 



forall (a; 6 <F) a; = _L; 
for {j = l,j < k,j++) { 
forall [x 6 <F) x' = Cx', 
forall [x E X) X = x'; 



Fig. 1. Lock-Step Iteration. 



5 The General Case 

Let S denote a set of equations x = 6x,x G X, without free variables, over 
a distributive lattice D where X = 0. The first algorithm one may think of 
is lock-step iteration as in fig. 1. This algorithm successively computes the n- 
th approximation of the least fixpoint. Since all values of the next round are 
computed w.r.t. the old values of the variables, we use a set \x' | x G T} of fresh 
variables to receive the new values. These are then copied into the x E X . 

The algorithm from fig. 1 finds the least fixpoint after k = ^X rounds. A straight 
forward application to hierarchical systems would successively remove fixpoints 
outside-in by an appropriate unrolling. The structure of variable dependences, 
however, is not taken into account. Therefore, we prefer to replace lock-step 
iteration with a Round-Robin strategy. For (intra-procedural) data-flow analysis, 
such an approach has been considered, e.g., by Kam and Ullman [12]. 

The (variable) dependence graph of the set of equations S is the directed graph 
G = (X, E) where E consists of all edges (xi,X 2 ) where variable Xi occurs in the 
right-hand side of variable X 2 - A set B of edges of G is called set of hack-edges 
if G without edges from B is a dag. The maximal number of edges from B on 
any cycle-free path in G is called loop- connectedness of G (relative to B). 
Notice that the loop-connectedness of G relative to B is at most ffB or even 
ff{y I (m,w) G B} which sometimes is less. Deciding in general whether the 
loop-connectedness relative to some B is > k for arbitrary k is NP-complete [7]. 
Determining a set of back-edges which minimizes the loop-connectedness seems 
to be an even harder problem. In case, however, graph G is “well-structured” 
[reducible), polynomial algorithms are known both for computing such mini- 
mal B as well as the corresponding loop-connectedness [7] (see [8] for precise 
definitions of reducibility) . The polynomial algorithm for reducible graphs also 
provides us with a heuristics (running in linear time) to compute small sets B 
of back-edges in arbitrary graphs: just determine a DFS forest T of G, and then 
choose B as the set of all edges [u,v) of G where v is an ancestor of u w.r.t. T. 
The resulting set B is at least locally minimal in so far as no proper subset is a 
set of back-edges for G as well. 

A good choice for a set B of back-edges as well as a safe approximation of the 
loop-connectedness relative to B will do for all our subsequent constructions. 
Worse B as well as less accurate approximations for the loop-connectedness may 
result in larger outputs but will not affect the correctness of the construction. 
Any choice of B, however, will provide us with an algorithm which is not worse 
than the lock-step algorithm. For the following let us fix a suitable set B of 
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for (i = 1, i < n, i++) Xi = J_; 
for (j = l,j < k,j++) 

for (i = l,i < n, i++) Xi = ei\ 



Fig. 2. Round- Robin Iteration. 



back-edges. Let < denote a topological ordering of the variables in X w.r.t. to 
the dag obtained from G by removing all edges from B. Assume this ordering 
is given as xi < X 2 < . . . < where the right-hand side for Xi is given by 
Ci. Then the new strategy loops through all variables where for variable 
we use those values for variables which already have been computed 

within the same round. The version for least solutions is shown in fig. 2. The dual 
version for greatest fixpoints differs in that values of variables Xi are initialized 
with T (instead of T). For the case of least solutions, we prove: 

Proposition 6. The Round-Robin algorithm of fig. 2 computes the least solution 
of S in c-\- I rounds where c equals the loop- connectedness of S (relative to B). 



Example 6. Consider the set of equations (with 27 = 0) given by: 

Xi = J/i U X2 X2 = J/2 U (xi n xf) X3 = J/3 U X2 
The variable dependence graph is shown in fig. 3. One set of back-edges is given 




Fig. 3. The Variable Dependences for Ex. 6. 



hj B = {(xi, X 2 ), (x 2 , X 3 )}. The loop-connectedness relative to B is 2. Another 
set of back-edges, however, is given by B' = {(x 3 ,X 2 ), (xi,X 2 )}. For set B' , the 
loop-connectedness equals f implying that Round-Robin iteration according to 
ordering X 2 < xi < X 3 terminates already after 2 rounds. Starting with initial 
values _L, we obtain: 





X2 


Xi 


X3 


1 

2 


V2 

V2 U (j/i nj/3) 


J/l Uj/2 
J/1 Uj/2 


J /3 Uj /2 
J /3 Uj /2 



Proof of prop. 6. For simplicity, let us assume that right-hand sides Cj are of 
one of the forms a € P, Xj , Xj U Xk or Xj FI Xk for Xj,Xk € V ■ The sets E of 
intersection trees for Xi, i = 1, . . . ,n, inductively are defined as follows: 

• If Ci € D, then Xi € 

• If Ci = Xj, then Xi(J) € Xi for every I € Xg; 

• If Ci = Xj U Xk, then Xi(J) € Xi for every I £ Xj UXk; 
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: 






Fig. 4. The Graphs and for Ex. 3. 



• If Cj = Xj n X/;, then Xi[lj,lj.) G for every ij G Tj and Ij. G X/;. 

1 is called cycle-free iff no path in 1 has more than one occurrence of the same 
variable. Each intersection tree J G Xi represents a value [/], namely, the meet 
over all values corresponding to the leafs of 1 . Formally, [i] is defined as follows: 

[xi] = d if Ci = d G D 

[xi(i)i = m 
[x,(ii,i 2 )] = [ii]np 2 l 

Let (7 : t D denote the least solution of S. Then cxj = LKI-^1 I ^ € Xj}, 

Xj G X- Now consider an intersection tree 1 £ Xi which is not cycle-free. Then 
we can construct a cycle-free I' G Xj such that [/] = |/']| □ d for some d G D 
implying that [i]| C |i']. Hence, it suffices to take least upper bounds just over 
cycle-free intersection trees. Thus the following claim implies our assertion: 
Claim: Assume j > 1. After round j, the value of Xj is an upper bound for |/]| 
whenever 1 e Xi is cycle-free and has at most j — I back-edges on every path 
from a leaf to the root. □ 

In presence of distributivity, our prop. 6 can be seen as a generalization of Kam 
and Ullman’s result [12] to more general forms of systems of equations. 

Let us apply prop. 6 to hierarchical systems with X = 0. We propose an itera- 
tion strategy which for alternation-depth r consists in r nested for-loops. Each 
iteration of the outermost loop first evaluates the variables from block r; then it 
descends into an iteration on the variables of the lower blocks. 

Assume G = (X, E) is the variable dependence graph of hierarchical system S . 
We construct directed graphs k = 1, . . . ,r, as follows. 

• The set of vertices of G'X) is given by X] 

• The set of edges of consists of all pairs {z,x) where x <E Xk and z 
occurs in e^ [primary edges) together with all pairs [x,z) where x £ Xk, 
zex„j < k, and there is a path in G^* from x to z [derived edges). 

Let Ck denote the minimal loop-connectedness of G^*) relative to sets of back- 
edges consisting of primary edges only. Then the variables in Xk can be arranged 
in such a way that (c/; + 1) iterations of the fc-th for- loop are sufficient. We call 
Ck the fc-th derived loop-connectedness. 

Example 7. Consider the hierarchical equation system of ex. 3. The graphs GN) 
and G(^) are shown in fig. 4. Since GN) has only a self-loop, derived loop- 
connectedness Cl equals 0. The other graph, G^^\ has already been considered 
in ex. 6 . There we found as set of back-edges B' = {(X 3 , X 2 ), (xi, X 2 )}. Since all 
edges in B' are primary, we conclude that C 2 = 1. □ 

Let rik denote the number of variables of the fc-th block. By construction, Ck < rik 
for all k. Recall that [n\ + 1) • . . . • + 1) < (y + 1)*^ where n = ni + . . . + 
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Combining theorem 1 with the sketched blind algorithm, we obtain: 

Theorem 2. Assume S is a hierarchical system of equations with n variables 
and alternation-depth r over a complete and distributive lattice, and let c\, . . . ,Cr 
denote the sequence of derived loop- connectednesses. Then an equivalent^ guarded 
hierarchical system can be constructed of size 

0{r • (ci + 1) . . . (c, + 1) • \S\) <0{r-{f + iy- |5|), □ 

The size of the resulting system is linear in the size of S but still may be expo- 
nential in the alternation-depth. Observe, however, that the left estimation of 
theorem 2 usually is sharper than the right bound which just counts variables 
and ignores variable dependences. 

6 Polynomial Special Cases 

Often, the variable dependences of (hierarchical) systems are not “arbitrary”. In 
particular, this is the case when the system is derived from a fixpoint expression 
as in ex. 1. The key idea for this case is to recursively descend into strongly 
connected components. We obtain a forest-like decomposition similar to [4,6]. 
Assume O' is a directed graph. A decomposition forest (df for short) w for a set 
V of nodes of G is defined as follows. If C = 0, then w = t (the empty list of 
trees). Otherwise, let G' denote the subgraph of G with nodes in V . 

Case 1: G' is strongly connected. Then w = [w' ,x) where x £V and w' is a df 
for C\{x}. We call x exit of strong component G' . 

Case 2: G' is not strongly connected. Then w = Wi . . .Wj., k > 1, where Wj is 
a df for Vj , and the sequence C , . . . , 14 is a topological ordering of the strong 
components of G' , i.e., whenever an edge of G' goes from 14 to Vj, then i < j. 
Thus, a df is obtained from G by recursively applying two steps: first, decompo- 
sition into strongly connected components; second, extracting exits from these, 
depth (w, x) of variable x relative to df w equals the number of parentheses within 
which X is nested. Formally, if w = [wi,xi) . . .[wj.,xjf) then depth(w,Xj) = 1 
for j = 1, . . . ,k, and for x occurring in Wj, depth(w, x) = 1 + depth(wj, x). The 
depth of w then is the maximal depth of a variable occurring in w. 

Every directed graph has decomposition forests, but only “well-structured” gra- 
phs have decomposition forests which are exit-post-dominated. Here, w is an 
exit-post- dominated df (edf for short) iff w is a df where for every subtree [v, h) 
of w and every edge (x, y), x in [v, h) and y not in [v, h) implies x = 4. 

Example 8. Consider the hierarchical system from ex. 3. Then a df for the va- 
riable dependence graph of S is given by w = (((e,X 3 ),X 2 ),xi). Df w is indeed 
exit-post-dominated. Observe that the exits in this decomposition are nothing 
but the fixpoint variables of the expression. Another edf, however, which has 
smaller depth is given by w' = ((e,xi)(e,X 3 ),X 2 ). □ 

The post-dominator relation can be computed in polynomial time [19] . Therefore, 
it takes only polynomial time to decide whether or not a graph has an edf and, 

^ up to extra auxiliary variables, of course 
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solve(w) { 




scan(w) { 


{ 




switch (w) { 




switch (w) 




case fc : 


return; 


case e 




return; 


case {wi,x)w 2 : 


scan(wi, x); 


case (wi,x)w2 : 


X = T; 


solve(wi); 






scan(wi); 




solve(w2); 






X = ep, 


} } 








scan(w 2 ); 




} } 







Fig. 5. The EDF- Algorithm for w. 



in case it has, to construct such an edf. Our new algorithm for equation systems 
over distributive lattices with if = 0 corresponding to edf’s is shown in fig. 5. It 
processes one strong component after the other; within a strong component, it 
first performs a scan over the whole component. This scan evaluates each variable 
within the strong component from left to right. After this scan, the final value 
for the exit has been reached. Then the algorithm descends one level down the 
edf w. Note that this recursive call of solve reinitializes each variable in the sub- 
forest. In case, we are just interested in the least solution, this reinitialization 
can be abandoned. This is no longer possible, however, for alternating fixpoints. 



Proposition 7. Assume S is a set of equations x = Cx,x € X, without free 
variables over a distributive lattice where X = 0 , and w is an edf of the variable 
dependence graph of S . Then: 

1. The edf- algorithm from fig. 5 computes the least solution of S . 

2. It evaluates each variable x exactly depth(w,x) times. □ 

The correctness of the edf-algorithm crucially depends on w being exit-post- 
dominated. The advantage of this algorithm (whenever applicable), however, is 
that some variables may be evaluated significantly fewer times than others. Also, 
if we are only interested in the variables of an upper fragment of w, reevaluation 
of the remaining variables can be discarded. The other advantage is that it can 
be extended to hierarchical systems of equations - without further increase in 
complexity. Assume S' is a hierarchical system of equations where X = 0. Let G 
denote the variable dependence graph (i.e., the one obtained from S by ignoring 
the hierarchy). An edf w for G is leveled iff for each subtree t = [wfh) of w, 
variable h has a block number which is at least as big as the block number of 
every variable occurring in t. We say that S is expression-like iff G has a leveled 
edf. 

The main motivation for this definition is that the hierarchical equation systems 
derived from fixpoint expressions naturally have leveled edf’s as defined above. 
Expression-/*fce hierarchical systems, however, are more “liberal” than fixpoint 
expressions, e.g., by allowing sharing of identical subsystems. 

Let us now modify the algorithm from fig. 5 by changing procedure scan to 
initialize x = T whenever x is a greatest-fixpoint variable and x = T otherwise. 
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Proposition 8. Assume S is a hierarchical system of equations without free 
variables over a distributive lattice with S = If w is a leveled edf for the de- 
pendence graph of S , then the modified edf-algorithm for w computes [S']] 0. □ 



Example 9. Consider the hierarchical system from ex. 1 together with edf w' = 
((e, xi)(e, X3), X2). First, let us determine the values of cj 2 for x\ and X 2 in 
2/3}]- The computation of the modified edf-algorithm produces the fol- 
lowing sequence of variable evaluations: 



xi : yi 



X3 : J/3 



X2 



V2 u (j/1 nj/3) 



Xi 



Vl Uj/2 



Final results for <72 are enclosed into frame boxes. Notice that we avoided reeva- 
luation of X3, since the values of 02 £^re just needed for variables from the second 
block. In order to compute oi for X3 from the first block, we switch the lattice 
to = B[{j/ 3, Xi, X2}]. One single evaluation step yields di X3 = j/3 U X2 . □ 



Combining theorem 1 with prop. 8, we obtain: 

Theorem 3. Assume S is a hierarchical system of equations over a complete 
and distributive lattice where S is expression-like. Then an equivalent guarded, 
hierarchical system can be constructed of size 0{m- [S'!) where rn is the depth of 
a leveled edf for the dependence graph of S . □ 

Applied to some fixpoint expression e, theorem 3 states that an equivalent gu- 
arded hierarchical system of equations can be constructed which is just a factor 
rn larger [rn the depth of nesting of fixpoints in e). 

Another important subclass of (hierarchical) systems of equations is obtained 
by restricting the usage of “Cl” . Assume S' is a hierarchical system of equations 
with E = fl. S is called disjunctive iff each right-hand side e is of the form 

e :: =x | d | ei U 62 | e □ d 

where x denotes a variable and d elements in D. This special form is the ge- 
neralization of disjunctive Boolean equation systems as considered by Mader 
[14] to arbitrary distributive lattices. They closely correspond to distributive 
fixpoint expressions [18]. A simplification of the ideas from the latter paper can 
be applied to reduce the alternation-depth beforehand to (at most) 2. Using this 
transformation together with the technique from section 5, we obtain: 



Theorem 4. Assume S is a hierarchical system of equations over a complete 
and distributive lattice where S is disjunctive. Then an equivalent guarded, hier- 
archical system can be constructed of size 0{{n + 1) • (c + 1) • [S']) where n is 
the number of greatest fixpoint variables and c is the loop- connectedness of the 
variable dependence graph of S . □ 



7 Applications 

Guardedness transformations are especially useful whenever operator applicati- 
ons are “contracting” in some sense. Let us make this idea precise. Let D denote 
a complete lattice. Let us consider a metric d on D which satisfies the following 
properties: 
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(1) 


S{di,d2) 


< 


max(d(di, d), d(d, d 2 )) 


(2) 


S[dU di, dU d2) 


< 


d(di, d2) 


(3) 


h(d n di, dn d2) 


< 


d(di, d2) 



for all d,di,d 2 € P. A metric satisfying (1) is also called ultra-metric. In case, 
inequalities (2) and (3) hold, we call 5 invariant. We illustrate these definitions 
by the following example. 

Example 10. Let T^’ denote the set of languages of finite trees over signature 
E. Then Ti; is a complete and distributive lattice (w.r.t. set inclusion as natural 
ordering). On we define h(Li, L 2 ) = 2^^ where h is the minimal depth of a 
tree in the symmetric difference of L\ and L 2 . Then h is a metric which satisfies 
inequalities (1), (2) and (3). □ 

Operator / : D* — ^ P is called contracting, iff there exists some 0 < A < 1 such 
that for all di, d) € P and every j , d(/(di, . . . , d^,), /(d), . . . , d))) < A • 6[dj,dt). 

Example 11. Consider the distributive and complete lattice from ex. 10. For 
a € A , let [a] denote the operation of formal application of a. Then [a] is 
contracting with factor A = ^. □ 

The following theorem is analogous to Banach’s fixpoint theorem. 

Theorem 5. Assume O is a complete lattice and all operators are contracting 
w.r.t. some invariant ultra-metric on P. Then every finite system of equations 
over P without unguarded, cycles has a unique solution. □ 

Proof. W.l.o.g. let us assume that no right-hand side contains unguarded varia- 
ble occurrences. By structural induction, we find that for variable assignments 
ai, <J 2 and expression e without unguarded variable occurrences, d([e]| oi, [ej 02 ) 
< A • max{d((Ti x,a 2 x) | x G X} for some 0 < A < 1. Now let ci and cj 2 denote 
the least and greatest solutions of S, respectively, and assume that ci ^ cj 2 . 
Thus, r = max{d((Ti X, (72 x) | x G X} > 0, and there exists some x £ X such 
that r = d((Ti X, (72 x) = d([ej;]| (Ti, |ej;]| (T 2 ) < A • r - a contradiction. □ 

Note that we did not assume that P is a complete metric space. Existence of so- 
lutions follows since P is a complete lattice. The metric is only used to guarantee 
unicity of solutions. 

In [15], we have proposed techniques for pattern matching in finite trees. Here, 
patterns denote recognizable tree languages for which the element problem must 
be solved. As a convenient and expressive specification language for recognizable 
sets we suggested fixpoint expressions. Expressions containing just least fixpoints 
naturally correspond to (alternating) finite tree automata. In order to allow easy 
complementation, greatest fixpoints are useful as well. According to ex. 10 and 
11, Theorem 5 exhibits an interesting method how greatest fixpoints can be 
removed. Given a fixpoint expression over Tx’, we proceed as follows: 

(0) We construct an equivalent hierarchical system of equations; 

(1) We construct an equivalent guarded hierarchical system of equations; 

(2) We replace all greatest fixpoints by least ones. 

Acknowledgments: We thank Andre Arnold, Damian Niwinski and Igor Walu- 
kiewicz for many inspiring discussions and helpful remarks. 
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Abstract. We study the following problem: Given a transition system T and its 
quotient 77'^ under an equivalence which are the sets £, CJ of Hennessy-Milner 
formulae such that: if ip ^ C and T satisfies ip, then 77^ satisfies if € C 
and 77 ^ satisfies p, then 'T satisfies p. 

1 Introduction 

In the equivalence approach to formal verification, the specification and the implementa- 
tion of a system are typically formalised as transition systems S and I, and the informal 
statement ‘the implementation satisfies the specification’ is formalized as ‘<S is equiva- 
lent to I\ In the modal logic approach, the specification is a modal formula p, and the 
statement is formalised as ‘X is a model of p\ 

In a seminal paper [7], Hennessy and Milner proved that bisimulation equivalence 
admits a modal characterization'. Two (finitely branching) processes are bisimilar if and 
only if they satisfy exactly the same formulae of Hennessy-Milner logie. This result was 
later extended to the modal /x-calculus, a much more powerful logic strictly containing 
many other logics, like CTL, CTL*, and LTL. This showed that it was possible to link 
two different approaches to formal verification, based on equivalences and modal logics, 
respectively. 

Modal eharacterizations play an important rble in praetice: Given a very large, or 
even infinite, transition system T, we would like to obtain a smaller, or at least simpler, 
transition system T' which satisfies the specification if and only if T does. If the spe- 
cification belongs to a set of formulae C charaeterizing an equivalenee then we can 
safely take any T' satisfying T T' ■ 

An interesting possibility is to take T' as the quotient ofT under whose 
states are the equivalence elasses of the states of T, and whose transitions are given by 
[s] — ^ [t] only if s — ^ f. This works for all equivalenees in van Glabbeek’s spectrum [18] 
because they satisfy T T!^ (as proved in [13]). Quotients are particularly interesting 
for bisimulation equivalenee for practical reasons, of which we give just two. First, in 
this case 77^^ can be very efficiently computed for finite transition systems, as shown 
in [16]. Second, for some classes of real-time and hybrid systems [2,8], the quotient 
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under bisimulation of an infinite transition system can be proved to be finite; this makes 
automatic verification possible, at least in principle. 

is guaranteed to satisfy a property of C if and only if T does, but maybe this 
holds for other properties as well? We study this question (in a slightly refined form) 
within the framework of Hennessy-Milner logic, for arbitrary equivalences. Given a 
set of formulae characterizing our results determine the sets C' ,C" D C such that 
Tjr^ satisfies (/? G £' if T does, and T satisfies G C if Tjr^ does. As we shall see, 
CJ n CJ' = C\ the additional formulae of C , C" which do not belong to C can be used 
by efficient verification semi-algorithms (which produce yes/no/don ’t know answers) - 
if we want to find out whether T satisfies some (/? G U C" , we can first check if 
satisfies (/?; if it is the case and G C", we can conclude that T satisfies y>. If does 
not satisfy Lp and Lp G C , we conclude that T does not satisfy pi. In the other cases we 
‘don’t know’. 

The paper is organized as follows. Section 2 contains preliminary definitions. In 
Section 3.1, as a warm-up, we determine the set C' preserved by any transition system 
T' satisfying T T' ■ In Section 3.2, the core of the paper, we determine the set C' 
preserved by the quotient Tjr^. In Section 4 we apply our results to the equivalences in 
van Glabbeek’s hierarchy. Section 5 contains conclusions and comments on related and 
future work. 

2 Definitions 

Let Act = {a, 6, c, . . . } be a countably infinite set of atomic actions (which is fixed for 
the rest of this paper). 

Definition 1. A transition system (T.S.) is a triple T = (S', A, — ^) where S is a set 
of states, A C Act, and — S x A x S is a transition relation. We say that T is 
finitely-branching iff for every s £ S, a e A the set {f | s — ^ f} is finite. Processes are 
understood as (being associated with) states in finitely-branching transition systems. 

In the rest of this paper we only consider finitely-branching T.S. (this restriction is harm- 
less from the ‘practical’ point of view, but it has important ‘theoretical’ consequences as 
it, e.g., allows to prevent the use of infinite conjunctions in our future constructions). 

As usual, we write s — ^ f instead of (s, a,f) G — ^ and we extend this notation to 
elements of A* in a standard way. A state t is reachable from a state s iff s ^ f for 
some w G A*. If s is a state of T, then T{s) denotes the transition system [S' , A, 
where S" = {f G S' | s ^ f} for some vj £ A*, and is the induced restriction of 
— The set of actions which is used in the underlying transition system of a process p 
is denoted by Actfp) (sometimes we work with processes whose associated transition 
system has not been explicitly defined). Properties which have been originally defined 
for transition systems are often also used for processes; in that case we always mean that 
the underlying transition system has the property (for example, we can speak about the 
set of states and actions of a given process). 

Definition!. Let 71 = — ^i), 71 = {S 2 ,A 2 ,^ 2 ) be transition systems. A 

(total) function f '■ S\ ^ S 2 is a homomorphism from 71 to 71 Offs, f G S\,a Act : 
s —^1 t /(s) —^2 f{t). 




A Logical Viewpoint on Process-Algebraic Quotients 501 

Definition 3. A renaming is an (arbitrary) injective function r : Act — ^ Act. For 
every transition system T = (S,A,^) we define the r-renamed transition systems 
r{T) = {S, r[A), where s -\'t iff s A- 1 and r[a) = b. 

2.1 Process Descriptions 

In this section we briefly introduce and motivate the problem which is considered in this 
paper. 

Transition systems are widely accepted as a convenient model of concurrent and 
distributed systems. A lot of verification problems (safety, liveness, etc.) can be thus 
reduced to certain properties of processes (states). A major difficulty is that in practice we 
often meet systems which have a very large (or even infinite) state-space. A natural idea 
how to decrease computational costs of formal verification is to replace a given process 
with some ‘equivalent’ and smaller one (which can be then seen as its ‘description’). 

In this paper we consider two types of process descriptions ('^-representations and 
'^-characterizations), which are determined by a chosen process equivalence (by a 
‘process equivalence’ we mean an arbitrary equivalence on the class of all processes, 
i.e., states in finitely-branching T.S.). 

Definition 4. Let be a process equivalence. A process t is a '^-representation of a 
process s iff s ^ t. 

Definition 5. Let ^ be a process equivalence. The -characterization of a process s of 
a transition system T = (S', .4., — ^) is the process [s] of T A = A At A i— ^) where S/r^ 
is the set of all ^-classes of S (the class containing s is denoted by [sp and i— ^ is the 
least relation satisfying s A t [s] A [t]. 

Observe that the -characterization of s is essentially the quotient of s under '~. We 
use the word ‘characterization’ because for every ‘reasonable’ process equivalence 
(see Lemma 6) we have that s [s] for each process s; hence, the -characterization 
of s describes not only the behaviour of s (as '^-representations of s do), but also 
the behaviour of all reachable states of s, i.e., it characterizes the whole state-space 
of s. More precisely, for every state t of the process s there is an equivalent state [t] 
of the process [s]. Therefore, we intuitively expect that -characterizations should be 
more robust than '^-representations. This intuition is confirmed by main theorems of 
Section 3. Also note that the same process can have many different '^-representations, 
but its -characterization is unique. 

Definition 6. Let P be a property of processes, a process equivalence. We say that P 

is 



- preserved by ^-representations (or ^-characterizations) iff whenever t is a ^-rep- 
resentation (or the ^-characterization) of s and s satisfies P, then t satisfies P; 

- reflected by '-^-representations (or '-'^-characterizations) iff whenever t is a '-'^-rep- 
resentation (or the ^-characterization) of s and t satisfies P, then s satisfies P. 



An immediate consequence of the previous definition is the following: 
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Lemma 1. Let ^ a process equivalence. A property P is preserved by ^-representations 
(or ^-characterizations) ijf -<P is reflected by ^-representations (or ^-characteriza- 
tions). 

The question considered in this paper is what properties expressible in Hennessy-Milner 
logie (see the next seetion) are preserved and reflected by '^-representations and '~- 
characterizations for a given process equivalence i.e., to what extent are the two 
kinds of process descriptions ‘robust’ for a given As we shall see, we can give a com- 
plete classiflcation of those properties if the equivalence satisfles certain (abstractly 
formulated) conditions. Intuitively, we put more and more restrictions on which allow 
us to prove more and more things; as we shall see in Section 4, all those restrictions are 
‘reasonable’ in the sense that (almost) all existing (i.e., studied) process equivalences 
satisfy them. See Section 4 for details. 

2.2 Hennessy-Milner Logic 

Formulae of Hennessy-Milner (H.M.) logic have the following syntax (a ranges over 

Act): 



Lp ::= tt I (/3 A I -'p I {a)p 

The denotation |(/9]| of a formula pom. transition system T = (S', -fl) is defined as 
follows: 



[ttl = S' 

Ip A fll = M n [V'l 

= -S' - 

|(a)(/3] = [s e S \ 3t e S : s ^ t At e |(a1} 

Instead of s G |(/3] we usually write s |= (/?. The otherboolean connectives are introduced 
in a standard way; we also define f f = -itt and [a\p = ~^{a)^p. The depth of a formula 
p, denoted depth[p), is defined inductively by 

- depth[tz) = 0, 

- depth[pA'tp) = max{depth[p) , deptk['tp)}, 

- depth[-ip) = depth[p), 

- depth[{a)p) = 1 + depth[p). 

The set of actions which are used in a formula p is denoted by Act[p) (note that Act[p) 
is always finite). 

Definition 7. Let A C Act. A Tree over A is any directed binary tree with root r 
whose edges are labelled by elements of A satisfying the following condition: if p, q 
are a-successors of a node s, where a G A then the subtrees rooted by p, q are not 
isomorphic. Tree-processes are associated with roots of Trees (we do not distinguish 
between Trees and Tree-processes in the rest of this paper). Note that for every A; G INq 
and every finite A C Act there are only finitely many Trees over A whose depth is at 
most k (up to isomorphism). We denote this finite set of representatives by Tree[A)k- 
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It is a standard result that for every proeess s there is a Tree Tg over Act[s) (possibly 
of infinite depth) such that s and Tg satisfy exactly the same H.M. formulae (cf. [15]). 
One can also easily prove the following: 

Lemma 2. Formulae (/?, V’ of H.M. logic are equivalent iff they agree on every element 
ofTree[A)k where A = Acti^cp) U Act ftp) and k = max{depth)Lp) , dspthftp)}. 

For every renaming r and a H.M. formula tp we define the formula r((/9) which is obtained 
from (f by substituting each (a) with (r(a)). 

Lemma 3. For every process s, renaming r, and H.M. formula w we have that s \= Lp 
iffr{s) \= rfp). 

In the next section we also need the following tools: 

Definition 8. Let tp be a H.M. formula, s a proeess. For a given oecurrence of a sub- 
formula tp in Lp we define its diamond-depth, denoted dftp), to be the number of {b)- 
modalities which have the occurrence of tp in their scope. The set of all actions which 
are used in those modalities is denoted by A^ftp). Finally, we use TZgftp) to denote the 
set of all states which are reachable from s via a sequence of (exaetly) dftp) transitions 
whose actions are contained in Md(V'). 

Lemma 4. Let p be a H.M. formula. Let p' be the formula obtained from p by substi- 
tuting (given occurrenees of) its subformulae tpi, ... ppn by H.M. formulae fi, ... fin, 
respeetively. Let s be a process such that s fi p and for all i e {1, . . . , n], s' e TZgf pi) 
one of the following eonditions holds: 

1. s' 1= -ipi s' 1= fi 

2. s' 1= and the occurrence of tpi in p is not within the scope of any negation. 

Then s \= p' . 

3 The Classification 

In this section we give a complete classification of H.M. properties which are preser- 
ved/refiected by '^-representations and -characterizations for certain classes of process 
equivalences which satisfy some (abstractly formulated) conditions. From the very be- 
ginning, we restrict ourselves to those equivalences which have a modal characterization. 

Definition 9. Let ^ be a process equivalenee. We say that ^ has a modal characterization 
iff there is a set Ti of H.M. formulae s.t. for all processes s, t we have that s ^ t iff s 
and t satisfy exactly the same formulae of Li. 

Observe that the same equivalence can have many different modal characterizations. 
Sometimes we also use the following notation (where s is a process): Tip '■= {t \t ^ 
LiAAcipp) C A},'H'X '.= {p\p e HpAdepthfip) < k},H{s) := {p\p efL As \= 
p}, and TLp{s) := [p\p TLji A s |= p). Note that if A is finite, then Tff contains 
only finitely many pairwise nonequivalent formulae. In that case we can thus consider 
to be a finite set. 




504 



A. Kucera and J. Esparza 



3.1 H.M. Properties Preserved by rs.'-Representations 

Theorem 1. Let H be a modal characterization of a process equivalence Then every 

formula d which is a boolean eombination of formulae from H is preserved by 
representations. 

The previous theorem is in fact a trivial consequence of Definition 9. Now we would 
like to prove a kind of ‘completeness’ result saying that nothing else (except for formu- 
lae which are equivalent to boolean combinations of formulae from TL) is preserved by 
'^-representations. However, this property does not hold for an arbitrary modal charac- 
terization Ti; it is demonstrated by the following counterexample: 

Example 1. Let be defined as follows: s f iff a G Act[s) n Act(t), or Act[s) = 
Acf(f).Let Ad = {(Ai, A 2 ) \Ai,A 2 are finite, nonempty, and disjoint subsets of Act}. 
The equivalence has a modal characterization 

T-L= {(a)tt V ( (fe)tt A -i(c)tt) I [AitA2) G M} 

fcGvAi Cfi.A-2 

Now observe that the formula (a)tt is preserved by '^-representations, but it is not 
equivalent to any boolean combination of formulae from T-L. 

However, a simple assumption about ft which is formulated in the next definition makes 
a completeness proof possible. 

Definition 10. We say that a modal eharacterization T-L of a process equivalence is 
well-formed iff whenever p e T-L and {a)'tp is an occurrence of a subformula in p, then 
also p' £ fL where p' is obtained from p by substituting the occurrence of {a)f with 
//■ 

As we shall see in Section 4, all ‘real’ process equivalences which have a modal charac- 
terization also have a well-formed modal characterization. An important (and naturally- 
looking) property of process equivalences which have a well-formed modal characteri- 
zation is presented in the following lemma: 

Lemma 5. Let ^ be a process equivalenee having a well-formed modal characterization 
'~. Let A C Act, A; G INq. For all T\ T' G Tree[A)k we have that T T' ijfT andT' 
satisfy exactly the same formulae ofTi\. 

Proof. The ‘=^’ direction is obvious. Now if suffices to realize that if T and T' are 
distinguished by some p e T-L, then they are also distinguished by the formula p'en>x 
which is obtained form p by substituting every occurrence of a subformula {a)'tp, which 
is within the scope of k other (6) -modalities or where a f A, with f f . The formulae p 
and p' agree on every element of Tree[A)k, because the occurrences of subformulae in 
p which have been substituted by f f during the construetion of p' are evaluated to false 
anyway. □ 
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Theorem 2. Let ^ be a process equivalence having a well-formed modal characteriza- 
tion H- Then every formula p ofH.M. logic which is preserved by ^-representations is 
equivalent to a boolean combination of formulae from %. 

Proof. Let ph&a formula preserved by ^-representations, k = depthfp), A= Act{p) 
(note that A is finite). For every T <E Tree[A)k we construct the formula 

Qr = A ^ ^ A 

een\ een\ 

T\=q T'^q 

Now let 

f = \J fir 
'I'e Tree{A)k 

T\=ip 

We show that p and fi are equivalent. To do that, it suffices to show that p and f agree 
on every '1\ G Tree[A)k (see Lemma 2). 

- Let T\ G Tree[A)k s.t. fr \= p. As '1\ \= 'fip , we also have fr \= fi. 

- Let G Tree[A)k s.t. '1\ \= fi. Then there is T 2 G Tree[A)k S-t. "i '2 \= P and 

1 1 1= fri - 2 . As 1 1 1= fri 2 , the Trees 1 1 , 1 2 satisfy exactly the same formulae of fL^. 
Flence, Ti ~ T2 due to Lemma 5. As p is preserved by ^-representations, '1\ is a 
'^-representation of I/ 2 , and T 2 \= p, we also have '1) \= p. □ 

Theorem 1 and 2 give a complete classification of those FI.M. properties which are 
preserved and reflected (see Lemma 1) by '^-representations for a process equivalence 
which has a well-formed modal characterization %. 

3.2 H.M. Properties Preserved by ^-Characterizations 

Now we establish analogous results for '^-characterizations. As we shall see, this problem 
is more complicated. 

The first difficulty has been indicated already in Section 2.1 - it does not have too 
much sense to speak about -characterizations if we are not guaranteed that s [s] for 
every process s. Unfortunately, there are process equivalences (even with a well-formed 
modal characterization) which do not satisfy this basic requirement. 

Example 2. Let be defined as follows: s ^ t iff for each w G Act* s.t. lengthiw) = 2 
we have that s ^ s' for some s' iff t ^ t' for some t'. The equivalence has a 
well-formed modal characterization 

PL = I a, fe G Act) U {(a)f f | a G Act} U {f f } 

Now let s be a process where s -A t, s -A u,u -A v, and t, u, v do not have any other 
transitions. Then t ^ u ^ v, hence [s] — ^ [u], and therefore s f [s]. 

Flowever, there is a simple (and reasonable) condition which guarantees what we need. 
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Definition 11. Let ^ be a process equivalence. We say that ^ has a closed modal 
characterization iff it has a modal characterization ft which is closed under subformula 
(i.e., whenever p efl and tp is a subformula of p, then ip e ff). 

A closed modal characterization is a particular case of a filtration. The next lemma 
is a well-known result of modal logic, stating that a model and its quotient through a 
filtration agree on every formula of the filtration [4]. We include a proof for the sake of 
completeness . 

Lemma 6. Let ^ be a process equivalence having a closed modal characterization. 
Then s \s\for every process s. 

Proof. Let he a closed modal characterization of We prove that for every p £ fL 
and every process s we have s \= p <=^ [s] |= p (i.e., s [s]). By induction on the 
structure of p. 

- p = XX. Immediate. 

- p = -lip. Then ip ^ Li and s \= ip [s] \= ip hy induction hypotheses. Hence 
also s \= ^iP [s] 1= -lip as required. 

- p = Ip A p. Then ip,p <E %. If ip A p distinguishes between s and [s], then ip or 
P distinguishes between the two processes as well; we obtain a contradiction with 
induction hypotheses. 

- P = {a)ip. 

• (=^) Let s \= {a)ip. Then there is some t such that s — ^ f and t \= fi. Therefore, 

[s] [t] and as Ip efL, we can use induction hypothesis to eonclude [t] |= ip. 

Hence, [s] |= {a)ip. 

• (<;=) Let [s] 1= {a)ip. Then [s] A [f] for some [t] s.t. [t] |= p. By Definition 5 
there are s', f such that s s' , t t', and s' A f. As [t] = [f], we have 
[t'] 1= fi and hence t' \= ip hy induction hypotheses. Therefore, s' \= {a)ip. 
As s ^ s' and {a)ip G PL, we also have s \= {a)ip as needed (remember that 
formulae of PL cannot distinguish between equivalent proeesses by Definition 9). 

□ 

According to our intuition presented in Section 2.1, ^-characterizations should be more 
robust then '^-representations, i.e., they should preserve more properties. The following 
definition gives a ‘syntactieal template’ whieh allows to construct such properties. 

Definition 12. Let S be a set of H.M. formulae. The set of diamond formulae over S, 
denoted T>{S), is defined by the following abstract syntax equation: 

p ■.■.= T}\p Ap\p\/ p\ {a)p 

Here a ranges over Act, and iT ranges over boolean combinations of formulae from S. 
The set B{S) of box formulae over S is defined in the same way, but we use [a\-modality 
instead of (a). 

Theorem 3. Let ^ be a process equivalenee having a closed modal characterization 
PL. Then every formula of T>{PL) is preserved by ^-characterizations. 
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Proof. Let Lp € 'DiPL). By induction on the structure of Lp\ 

- Lp = P.li suffices to realize that P is preserved by '^-representations (Theorem 2) 
and every -characterization is also a '^-representation (Lemma 6). 

- p> = p>i t\ (p 2 , 01 p>= p>\y p >2 where p>ItP >2 are preserved. Immediate. 

- Lp = (a)(/3i where (/7i is preserved. Letpbe an arbitrary process s.t. p 1= (a)(/9i.Then 

there is p Ap's.t. p' |= pi. By definition of '^-characterization we have [p] ha \p'\. 
Moreover, [p'\ \= p>i as p>i is preserved. Hence, [p] |= {a)p>\ as needed. □ 

In order to prove the corresponding completeness result, we need some additional as- 
sumptions about and Pi. 

Definition 13. Let be a process equivalence. We say that has a good modal char- 
acterization iff it has a closed modal eharacterization PL which satisfies the following 
conditions: 

- ifipePL, then also {a)(p ePL for every a G Act; 

- if (f & PL, then also r[ip) G PL for every renaming r; 

- if {a)fi is an occurrence of a subformula in p, then also p' , p" G PL where p' and 
p" are the formulae obtained from p by substituting the oecurrence of {a)fi with 
1 1 and ff, respectively; 

- ifpePL and is a subformula of p, then also £ PL for every subformula ^ of 

fi; 

- there are processes s, t such that Act[s) U Act(t) is finite and PL{s) c PL{f). 

The requirements of Definition 1 3 look strange at first glance. In fact, the first four of them 
only eliminate a lot of ‘unnatural’ process equivalences from our considerations. The 
last requirement is also no problem, because the majority of ‘real’ process equivalences 
are defined as kernels of certain preorders, and one can always find processes s, t such 
that s is ‘strictly less’ than t in the preorder. 

Now we present a sequence of technical lemmas which are then used to prove the 
last main theorem of our paper. 

Lemma 7. Let PL be a good modal characterization of a process equivalence '~. For 
everyn G IN and every finite A C Act there are processes p\, ■ ■ ■ , pn such that Act [pfi 
is finite, Act[pi) n A = 0, and PL{pi) D PL{pipi) for each 1 <i <n. 

Proof. Let s and t be processes such that PL{s) c PL{f). We can safely assume that 
[Act[,s) U Act[t)) n A = 0, because otherwise we can consider processes r[s),r[t) 
for an appropriate renaming r (observe that PL{r[s)) C PL{r[f)) due to Lemma 3 and 
Definition 13). Let G be a formula such that f |= and s ^ .f. Let Ui, • • • , be 
fresh (unused) actions. The process p; has (exactly) the following transitions: pi -A s 
for every 1 < j < i < n, and pi -A t for every 1 < i < j < n. We prove that 
PL{Pi) D Td{Pipi) for each I < i < n. First, note that £ PL, p; \= and 

Pip 1 ^ («■» )■?• It remains to prove that for every p £ PL such that pi+ 1 |= p we also have 
Pi 1= p. The formula p can be viewed as a boolean combination of formulae of the form 
(a)Q. We show that for each such {a)fi we have that Pi+i |= (a)V’ P; \= {a}fi, or 
Pi 1= {a)'tp and {a)fi is not within the scope of any negation in p. It clearly suffices to 
conclude pi |= p. We distinguish two possibilities: 
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- Pi^i \= {a)'(l). As tl^ e T-L and H(s) c T-L{t), we also have Pi \= {a)tl^ (see the 
construction of pi above). 

- pi^i (a)V’.Ifpi y= (a)V’, we are done immediately. If Pi |= ( a) i/?, then necessarily 

a = obtain that f |= V’ ^nd s ^ If formula (a)V' is within the scope 

of some negation in p, we obtain -^tp e 7i. As s \= ^ip and t ^ ->ip, we have a 
contradiction with ?f(s) C ?f(f). □ 

Lemma 8. Let ^ be a process equivalenee having a closed modal characterization H. 
Let s, t be proeesses such that for every a e Act we have U^As' ^ ^tAt' ^(^0- 
Then s ^ t. 

Proof. We show that for every p £ ft we have s |= p iff f |= p. By induction on the 
structure of p. 

- p = tt. Immediate. 

- p = tp A f Suppose that tp A ^ distinguishes between s and t. Then tp,^ £ PL 
and at least one of those formulae must distinguish between s and t] we obtain a 
contradiction with induction hypotheses. 

- p = ->%p. The same as above. 

- p = {a)tp. Suppose, e.g., s \= {a)tp and t ^ {a)tp. Then f £ PL, f £ 

and f f UtAt' ^ contradiction. □ 



Lemma 9. Let be a process equivalence having a good modal characterization PL. Let 
Abe afinite subset of Act, k £ INq. Letii/i '2 € Tree[A)h s.t. there is a homomorphism 
f from T 2 to T\ whieh preserves Then the Trees l/i/i '2 can be extended (by adding 
some new states and transitions) in sueh a way that the obtained transition systems 
l/'(/i '2 satisfy the following: 

- the homomorphism f can be extended to a homomorphism f from fy to T[ which 
also preserves 

- for every H.M. formula p s.t. Act[p) C Awe have T) \= p iff'J-) \= p andT[ \= p 
iff'Ai h 

- the ‘old’ states ofT[ (i.e., the ones which have not been added to T\ during the 
extension procedure) are pairwise nonequivalent w.r.t. 

Proof. First we describe the extension of "i'l which yields the system T[. This extension 
is then ‘propagated’ back to 1 2 via the homomorphism / — each state s of i '2 is extended 
in the same way as the state /(s) of i). Finally, we show that the three requirements of 
our lemma are satisfied. 

Let n be the number of states of i 'l, and let m be the number of those states t of i 'l 
for which there is a state s of ^2 such that /(s) = t. Let pi, . . . be processes over 
a finite JP C Act such that PL{pi) D PL{p 2 ) D ■ ■ ■ D PL{pn) and AC\ JP — 0 . Such 
processes must exist by Lemma 7. Now we take an arbitrary bijection b from the set of 
states of 7'i to {1, . . . , n} satisfying the following conditions: 

- if f = /(s) for some state s of 7 2 , then bf) < rn, 

- if there is a (nonempty) path from t to f in 7 ' 2 , then b[t) > bfp). 
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Now we add to 1 \ all states of pi, ... ,Pn, and for each state t of 1 \ and each transition 
Pb(.s) we add the transition t ^ q (i.e., the state t has the same set of a-successors 
as Ph{s) for every a ^ after the modification). The described extension of T\ is now 
‘propagated’ to T2 in the above indicated way, yielding the system T^- 

As vA n vA' = 0, the new transitions which have been added to and T 2 cannot 
influence the (in)validity of any H.M. formula p s.t. Act[p) C A. Hence, the second 
requirement of our lemma is satisfied. Moreover, it is easy to see that the third requirement 
is satisfied as well, because the ‘old’ states of T[ now satisfy pairwise different subsets 
of T-Lpr , It remains to show that the first requirement is also valid. 

The homomorphism f is defined as a ‘natural’ extension of / - it agrees with / on 
the ‘old’ states ofT[, and behaves like an identity function on the ‘new’ ones. Observe 
that if s is a ‘new’ state of TI 2 , then the transition systems ’i' 2 (s) and i/'((/'(s)) are the 
same (isomorphic). Hence, f trivially preserves on all ‘new’ states of i To prove 
that s f'{s) for every ‘old’ state s of we first need to show the following auxiliary 

lemma: let si, . . . , Sj be ‘old’ states of t an ‘old’ state of such that 

- there is no state s of i /2 such that f'{s) = t, 

- HaW CU-=iWa(s.). 

Then H{t) 

A proof of the auxiliary lemma: Let p e T-i such that t \= p. We show that Si \= p 
for some 1 < i < j- First we construct a formula p' € Ha from p in the following 
way (recall the notions introduced in Definition 8): every occurence of a subformula 
{a)'tp inp, a ^ A! , which is not within the scope of any (fe) -modality, where b G A' , is 
substituted by 

- tt if / 1= (a)V' or there is some t' G TZt{{a)%f) such that t' \= {a)f, 

- ff otherwise. 

Clearly p' G Tip (see Definition 13). We prove that t \= p', (i.e., p' G by 

showing that the assumptions of Lemma 4 are satisfied for p and the above defined 
substitution. Let be a formula whose occurence has been substituted in p to obtain 
p'. First, let us realize that every state ofTZt{{a)f) is an ‘old’ one, because Ad{{a)f) Q 
A (see above). We can distinguish two possibilities: 

- the occurence of (a)V' has been substituted by tt. Then there are two subcases: 

• / 1= {a)f. Remember that each ‘old’ state q of T[ has the same set of a- 

successors as Pb{<i) for every a G A'. Hence, p^p-) \= {a)f because t \= {a)f. 
Furthermore, for every t' G TZt{{a)f) we have 'H{pb{t)) C fL{Pb(t'}) (see the 
definition of b above). Therefore, Pb(t'} H (®)V’ thus we get f |= In 

other words, for every t' G TZt{{a)%f) we obtain t' \= tt f \= {a)'tp. 

• there is f G TZt{{a)%f) such that f \= {a)'tp. First, if {a)'tp is satisfied by every 

state ofTZt ( {a)f),we are done immediately. Otherwise, there is t" G TZt ( (u)V') 
such that t" {a)f. Now it suffices to show that the occurrence of (a)V’ in 
p cannot be within the scope of any negation (see the second condition of 
Lemma 4). Suppose the converse. As p e T-L and H is a good modal char- 
acterization, we know that both and G H. As the processes f 
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and t" have the same a-sueeessors as the proeesses Ph(t') and Ph(t"), respec- 
tively, we obtain 1= (a)V' andp^(j//) ^ (a)V’, hence also ^ 
and Pb(t") H ^{a)ip. Therefore, it cannot be that %{pb(t'}) C 'H{pb{t")) or 
'H{pb{t'')) C a contradiction. 

- the occurence of (a)V’ has been substituted by f f . Then t' ^ (a)V' for each t' € 
TZt{{a)'tp), and we are done immediately. 

Now we know that p' G T-LjiSt), hence there must be some such that |= p' . We 
prove that Si \= p, again by applying Lemma 4 (observe that p can be obtained from 
p' by a substitution which is ‘inverse’ to the previously considered one). We show that 
the assumptions of Lemma 4 are satisfied also for p' and the ‘inverse’ substitution, 
distinguishing two possibilities: 

- a given occurence of tt is substituted ‘back’ to (a)V'- It means that we previously 
had t 1= (a)V’ or t' \= {a)ip for some t' e TZt{{a)tp) . As W(P 5 (/'(®))) 3 7i{Pb(v)) 
for every ‘old’ state s of ^2 and every ‘old’ state v ofT{ which is reachable from 
t (see the definition of b and the construction of i ' 2 ), we can conclude that (a)V' is 
satisfied by each ‘old’ state of i '2 (in particular, by all states of TZg^ ('tt))- 

- a given occurence of f f is substituted ‘back’ to If (a)V' is not satisfied by any 
state of7?,s^(ff), we done immediately. We show that if there is some s' G 

such that s' \= {a)'tjj, then the occurence of f f in p' cannot be within the scope of 
any negation. Suppose the converse. Then there is an occurrence of {a)'tp in p which 
is within the scope of some negation, hence -^{a)tlj belong to H.Ast |= and 

'H{Pb{t)) C 'bL{pb(f (s'))) (see above), we have s' \= -i(a)V', a contradiction. 

Now we can continue with the main proof. We show that for each ‘old’ state s of i '2 
we have that s ~ / (s)- We proceed by induction on the depth of the subtree which is 
rooted by s in i '2 (denoted by d). 

- d = 0. Then s is a leaf in T 2 , hence the transition systems l 2 (s) and T[{f'{s)) are 
isomorphic. Hence, we trivially have s f'{s). 

- Induction step: We prove that ^ 

(hence s f'{s') by Lemma 8). If a G A! , the equality holds trivially because s and 
f'{s) have the same set of a-successors. Now let a G A. By induction hypotheses 
we know that Ti{s') = T-L^f'^s')) for each a-successor s' of s. To finish the proof, 
we need to show that for each a-successor t of f'{s) for which there is no state 
q of 'I 2 with /'(<?) = t we have that %{t) C However, it can be 

easily achieved with a help of the auxiliary lemma which has been proved above; 
all we need is to show that C T-Lp_{s'). Suppose it is not the case, 

i.e., there is some A G T-ip such that t \= A and s' ^ r? for each a-successor s' of 
s. Hence {a)'d G T-La, s ^ (a)r?, and /(s) |= (a)r?; it contradicts the fact that the 
homomorphism / preserves □ 



Theorem 4. Let ^ be a process equivalence having a good modal characterization Li. 
Then every formula which is preserved by ^-characterizations is equivalent to some 
formula of'DifhL). 
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Proof. Let (/? be a formula preserved by '^-eharacterizations, k = depth[Lp), A = 
ActiLp). For every T <E Tree[A)k we define the formula fr by induction on the depth 
ofT: 



- if the depth ofT is 0 , then fr = tt, 

- if the depth of i ' is j + 1 , r is the root of T, and r Si; ■ ■ • A' are the 

outgoing arcs of r, then 

n 

V'T = [\ Q ky [\ ^ [\{a-i)ih{sp 

i'\=e 'J-'Ae 

where T{si) is the sub-Tree oi T rooted by Si. 

Let 



v> = \f fr 

'I'e 'Tree{A)h 

T\=ip 



We prove that (/?, f are equivalent by showing that they agree on every T\ € Tree[A)k- 

- Let T\ e Tree[A)k s.t. Ti \= p>. As ' 1 \ \= fri , we immediately have Ti \= f. 

- Let T\ e Tree[A)k s.t. T\ [= tp. Then there is T2 € Tree[A)k with T2 

and Ti \= tpx2- We need to prove that Ti \= p>. Suppose the converse, i.e., ' 1 \ \= 
->Lp. Let ri,r2 be the roots of Tifl'2, respectively. First we show that there is a 
homomorphism / from T2 to ' 1 \ s.t. for every node s of I/2 we have /(s) |= tpT(.s}- 
The homomorphism / is defined by induction on the distance of s from r'2 . 

• s = r-2. Then f{r2) = r\ (remember T\ \= V'ib). 

• s is the successor of t where t % si, - ■ ■ ,t ^ Sn are the outgoing arcs of 
t. The formula V'i-(t) looks as follows: 

n 

frit) = A ^ ^ A ^ 

gen’X'^ gen\-‘^ t=i 

T{t)\=g T{t)^g 

where d is the distance of t from r2 - Let f[f) = (/. As (/ |= V’T(t) (by induction 

hypotheses), there is some q % q' s.t. q' \= ipT{sj)- We put /(s) = q' . 

Observe that / also preserves because for every node s of T2 we have that s 
and /(s) satisfy exactly the same formulae of (d is the distance of s from 
r-2). Now we can apply Lemma 9 — the Trees Tifl’2 can be extended to transition 
systems T[, 'I2 iu such a way that the ‘old’ states ofT[ are pairwise nonequivalent, 
cp is still valid (invalid) in r'2 (r^), and the homomorphism / can be extended to a 
homomorphism f' which still preserves Let us define a transition system T = 
{S, AA Jd yj {b}, — ^) where 

• S' is a disjoint union of the sets of states of T[ and Tf 

• A! is the set of ‘new’ actions of 'ij/i'j (cf. the proof of Lemma 9 ),b A! 

is a fresh action. 
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• — ^ contains all transitions of T{ and "i' 2 ; moreover, we also have r '2 r 2 , 

b 1 ^ 

^"1, and V2 ri. 

The new fe-transitions have heen added just to make ri reachable from r- 2 . Observe 
that we still have ~ r 2 , ri |= -k/ 3, and V 2 [= ^p. As T 2 be ‘embedded’ into T[ 
by f', the '^-charaeterization of the proeess r '2 of T is the same (up to isomorphism) 
as the '^-charaeterization of the proeess of with one additional arc A r^. 
As the ‘old’ states of T[ (see Lemma 9) are pairwise non-equivalent w.r.t. and 
possible identification of the ‘new’ states of 1 '( in the '^-charaeterization of r 1 cannot 
infiuence (in)validity of any H.M. formula whose set of actions is contained in A, 
we can conclude that is not satisfied by the process [ri] of Henee, is not 
satisfied by the process [ri] = [r 2 ] of either. As is satisfied by the process r -2 
of T, we can conclude that Lp is not preserved by ^-charaeterizations, and we have 
a contradiction. □ 

Theorem 3 and 4 together say that a H.M. property F is preserved (refiected) by 
characterizations, where is a proeess equivalence having a good modal charaeterization 
%, iff P is equivalent to some diamond formula (or box formula - see Lemma 1) over 

n. 

4 Applications 

Our abstract results can be applied to many eonerete process equivalences which have 
been deeply studied in coneurrency theory. A niee overview and comparison of such 
equivalences has been presented in [18]; existing equivalences (eleven in total) are or- 
dered w.r.t. their coarseness and a kind of modal characterization is given for each of 
them (unfortunately, not a good one in the sense of Definition 13). However, those char- 
acterizations can be easily modified so that they become good (there are two exceptions 
- see below). Due to the lack of space, we present a good modal characterization only 
for trace equivalence. 

Definition 14. The set of traces of a process s, denoted Tr[s), is defined by 
Tr[s) = {w € Act* I 3t sueh that s ^ t} 

We say that s, t are trace equivalent, written s =t t, iffTr[s) = Tr(t). 

A good modal characterization TL for trace equivalence is given by 

(p ::= tt I ff I {a)(p 

where a ranges over Act. Let s, f be processes with transitions s -A s' , t A- t' , t \ t" 
(and no other transitions). Obviously 'H{s) C T-Lfi). 

To see that even an infinite-state process can have a very small =j-representation 
and =t -characterization, consider the process p of Fig. 1. The process (/ is a =t-repre- 
sentation of p, and the process r is the =t-characterization of p. According to our results. 
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Fig. 1. An infinite-state process having finite -representation and -characterization 



the formula (a)-i(a)tt which is satisfied by p is not generally preserved by =t-repre- 
sentations, but it is preserved by =i-characterizations. Indeed, we have q ^ (a)-i(a)tt, 
while r |= (a)-i(a)tt. 

An interesting related problem is whether a given infinite-state state process has for 
a given any finite '^-representation, and whether its '^-characterization is finite. It is 
also known as the regularity and strong regularity problem (see also [13]). Some deci- 
dability results for various equivalences and various classes of infinite-state processes 
have already been established [3,12,9,10,14], but this area still contains a number of 
open problems. 

The only equivalences of [ 1 8] which do not have a good modal characterization are 
bisimilarity [17] and completed trace equivalence. Bisimilarity is not a ‘real’ problem, in 
fact (only the last requirement of Definition 13 cannot be satisfied); a modal characteri- 
zation of bisimilarity is formed by all H.M. formulae, and therefore each H.M. formula 
is trivially preserved and refiected by '^-representations and '^-characterizations. As for 
completed trace equivalence, the problem is that this equivalence requires a simple infi- 
nite conjuction, or a generalized (•) modality (which can be phrased ‘after any action’), 
which are not at disposal. 



5 Related and Future Work 



In the context of process theory, modal characterizations were introduced by Hennessy 
and Milner in their seminal paper [7]. The paper provides characterizations of bisi- 
mulation, simulation, and trace equivalence as full, conjunction-free, and negation-free 
Hennessy-Milner logic, respectively. The result stating that bisimulation equivalence is 
also characterized by the modal /x-calculus seems to be folklore. In [18], van Glabbeek 
introduces the equivalences of his hierarchy by means of sets of formulae, in a style 
close to modal characterizations. 

In [II], Kaivola and Valmari determine weakest equivalences preserving certain 
fragments of linear time temporal logic. In [6], Goltz, Kuiper, and Penczek study the 
equivalences characterized by various logics in a partial order setting. 

An interesting open problem is whether it is possible to give a similar classification 
for some richer (more expressive) logic. Also, we are not sufficiently acquainted with 
work on modal logic outside of computer science (or before computer science was 
bom). Work on filtrations [4] or partial isomorphisms [5] should help us to simplify and 
streamline our proofs. 
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Abstract. This paper represents the beginning of a study aimed at 
devising semantic models for true concurrency that provide clear distin- 
ctions between concurrency, parallelism and choice. We present a simple 
programming language which includes (weakly) sequential composition, 
asynchronous and synchronous parallel composition, a restriction ope- 
rator, and that supports recursion. We develop an operational and a 
denotational semantics for this language, and we obtain a theorem re- 
lating the behavior of a process as described by the transition system 
to the meaning of the process in the denotational model. This implies 
that the denotational model is adequate with respect to the operational 
model. Our denotational model is based on the resource traces of Gastin 
and Teodesiu, and since a single resource trace represents all possible 
executions of a concurrent process, we are able to model each term of 
our concurrent language by a single trace. Therefore we obtain a deter- 
ministic semantics for our language and we are able to model parallelism 
without introducing nondeterminism. 



1 Introduction 

The basis for building semantic models to support parallel composition of pro- 
cesses was laid out in the seminal work of Hennessy and Plotkin [5]. That work 
showed how power domains could be used to provide such models, but at the 
expense of introducing nondeterminism in the models, and also into the langu- 
age. In this paper, we present an alternative approach to modeling parallelism 
that avoids nondeterminism. Our approach relies instead on true concurrency 
and more specifically on trace theory (as the area is called). Trace theory was 
introduced in the seminal work of Mazurkiewicz [6] in order to devise models for 
Petri nets, themselves a model of nondeterministic automata [8]. A great deal of 
research has been carried out in this area (cf. [3]), but programming semantics 
has not benefited from this research. The reasons are twofold: first, research in 
trace theory has focused on automata theory, for obvious reasons. The second 

* Partiai support provided by the Nationai Science Foundation and the US Office of 
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reason is perhaps more telling: the traditional models which were developed for 
the concatenation operator of trace theory do not support a partial order rela- 
tive to which concatentation is continuous (in the sense of Scott), nor are they 
metric spaces relative to which concatenation is a contraction. This means that 
the standard methods for modeling recursion are not available in these models, 
and so their use in modeling programming language constructs is limited. 

Even so, domain-theoretic connections to trace theory abound in the lite- 
rature, owing mainly to Winskel’s insight that certain domains - prime event 
structures - provide models for concurrency [9] . There also is the work of Pratt [7] 
that introduced pomsets, which are models for trace theory. But none of this work 
has developed a programming semantics approach in which there is an abstract 
language based on the concatenation operator. 

Recently Diekert, Gastin and Teodesiu have developed models for trace theory 
that are epos relative to which the concatenation operator is Scott continuous [2, 
4]. This opens the way for studying a trace-theoretic approach to concurrency, 
using these structures as the denotational models for such a language. This pa- 
per reports the first research results into this area. It presents a truly concurrent 
language which supports a number of interesting operators: the concatenation 
operator of trace theory, a restriction operator that confines processes to a cer- 
tain set of resources, a synchronization operator that allows processes to execute 
independently, synchronizing on those actions which share common channels in 
the synchronization set, and that includes process variables and recursion. 

The basis for our language is the concatenation operator from trace theory. 
In trace theory, independent actions can occur concurrently while dependent 
actions must be ordered. Therefore the concatenation of traces is only weaMy 
sequential: it allows the beginning of the second process to occur independently 
of the end of the first process provided they are independent. We think this is 
a very attractive feature that corresponds to the automatic parallelization of 
processes. We also can model purely sequential composition by ending a process 
with a terminating action upon which all other actions depend. 

The rest of the paper is organized as follows. In the Section 2 we provide some 
preliminary background on domain theory, on trace theory generally, and on the 
resource traces model of Gastin and Teodesiu [4]. These are the main ingredients 
of the semantic models for our language. The syntax of our language is the 
subject of the Section 3, and this is followed by Section 4 in which we explore the 
properties of the resource mapping that assigns to each action its set of resources; 
the results of this section are needed for both the operational and denotational 
semantics. Section 5 gives the transition system and the resulting operational 
semantics of our language, and also shows that the operational transition system 
is Ghurch-Rosser. Section 6 is devoted to the denotational model, and the seventh 
section presents the main theorem relating the operational and the denotational 
semantics. 

Due to space limitations, most proofs are omitted and will appear in a forth- 
coming full version of this paper. 
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2 Preliminaries 

In this section we review some basic results from domain theory, and then some 
results from trace theory. A standard reference for domain theory is [1], and 
most of the results we cite can be found there. Similarly, for the theory of traces 
the reader is referred to [3] ; specific results on resource traces can be found in [4] . 

2.1 Domain Theory 

To begin, a poset is a partially ordered set, usually denoted P. The least element 
of P (if it exists) is denoted T, and a subset D C P is directed if each finite 
subset PCD has an upper bound in D. Note that since T’ = 0 is a possibility, 
a directed subset must be non-empty. A (directed) complete partial order (dcpo) 
is a poset P in which each directed set has a least upper bound. If P also has 
a least element, then it is called a cpo. If P and Q are posets and f:P^Q 
is a monotone map, then / is (Scott) continuous if / preserves sups of directed 
sets: if 11 C A* is directed and x = Vll G P exists, then \/f[D) G Q exists and 
/(Vll) = V/(ll). 

If P is a dcpo, the element k £ P is compact if, for each directed subset 
11 C P, if A; C VP, then (3d e D) k P d. The set of compact elements of 
P is denoted A(P), and for an element x G P, A(x) = A(P) H \,x, where 
Jgc = {y G P I y E x}. P is algebraic if K[x) is directed and x = VA(x) for each 
X e P. 

2.2 Resource Traces 

We start with a finite alphabet P, a finite set TZ of resources, and a mapping 
res: S — ^ V[TZ) satisfying res(a) ^ 0 for all a <E P- We can then define a 
dependence relation on P by (a,b) G P iff res(a) nres(6) ^ 0. The dependence 
relation is reflexive and symmetric and its complement 1 = [P x P) \ P is called 
the independence relation on P. 

A real trace t over (A, P) is the isomorphism class of a labeled, directed 
graph t = [V,E,X], where L is a countable set of events, E C V x V is the 
synchronization relation on V , and A: V — t A’ is a node-labeling satisfying 

- Sp e V , \.p = [q e V \ {q,p) G E*} is finite, 

- yp,qeV, {X{p),X{q)) e D ^ [p,q) G P U U {(p,p) \ peV) 

The trace t is finite if V is finite and the length of t is |1| = \V\. The set of 
real traces over [P , D) is denoted by 1R(A,P), and the set of finite traces by 
M(A,P). 

The alphabet of a real trace t is the set Alph(t) = A)!/) of letters which 
occur in t. We also define the alphabet at infinity of t as the set alphinf(t) of 
letters which occur infinitely often in t. We extend the resource mapping to real 
traces by defining res(t) = res(Alph(t)). The resources at infinity of t is the set 
resinf(t) = res(alphinf(t)). A real trace is finite iff alphinf(t) = resinf(t) = 0. 

A partial concatenation operation is defined on real traces as follows: Let t\ = 
[Li,Pi, Ai] and t 2 = [V 2 ,p 2 , A 2 ] be real traces such that resinf(ti) rires(t 2 ) = 0, 
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then the concatenation of ti and t 2 is the real trace ti ■ t 2 = \V, E, A] obtained 
by taking the disjoint union of ti and t 2 and adding necessary edges from ti to 
t 2 , i.e., V = Vi U V 2 , A = Ai U A 2 , and E = EiO E 2 U(Vi x V 2 fi A^^(D)). In this 
representation, the empty trace 1 = [0,0,0] is the identity. 

The monoid of finite traces (M(if, D), •) is isomorphic to the quotient monoid 
E* 1= of the free monoid E* of finite words over E, modulo the least congruence 
generated by {{ab,ba) \ (a,b) € /}. 

The prefix ordering is defined on real traces by r < t iff there exists a real 
trace s such that t = r ■ s. When r < t, then the trace s satisfying t = r ■ s 
is unique and is denoted by r^^t. , D), <) is a dcpo with the empty trace 

as least element. The compact elements of (R(i7, D),<) are exactly the finite 
traces. 

Just as in the case of the concatenation of words, the concatenation operation 
on M(if , D) is not monotone with respect to the prefix order. It is for this 
reason that M(i7, D) cannot be completed into a dcpo on which concatenation 
is continuous, and so it is not clear how to use traces as a basis for a domain- 
theoretic model for the concatenation operator of trace theory. 

This shortcoming was overcome by the work of Diekert, Gastin and Teodesiu 
[2,4]. In this paper, we will use the latter work as a basis for the denotational 
models for our language. The resource trace domain over (27, 7?., res) is then 
defined to be the family 

¥{E,D) = {{r,R) I r € ¥.{E,D), C 7^ and resinf(r) C R}. 

For a resource trace x = {r,R) € F{E,D), we call Re(x) = r the real part of 
X and Im(x) = R the imaginary part of x. Most resource traces are meant to 
describe approximations of actual processes. The real part describes what has 
already been observed from the process and the imaginary part is the set of 
resources allocated to the process for its completion. The set of resource traces 
F(27, D) is thus endowed with a partial order called the approximation order: 

(r, if) C (s. S') O r < s and if D S U res(r^^s). 

We also endow F(27, D) with the concatenation operation 

(r, if) • (s, S) = {r ■ pr{s), if U S U (Tr{s)), 

where pr{s) is the largest prefix u of s satisfying res(w) n if = 0 and aR^s) = 
res(/i/j(s)^^s). Intuitively, the product {r,R) ■ (s,S') is the best approximation 
we can compute for the composition of two processes if we only know their 
approximations (r, if) and (s,S'). 

It turns out that (F, G) is a dcpo with least element (1,7?.), where 1 is the 
empty trace. Moreover, the concatenation operator defined above is continuous 
with respect to this order. In other words, (F, C, •) is a continuous algebra in the 
sense of domain theory. The dcpo (F, G) is also algebraic and a resource trace 
X = (r, if) is compact if and only if it is finite, that is, iff its real part r is finite. 

We close this section with a simple result about the resource mapping. 

Proposition 1. The resource mapping res: E — ^ V{TZ) extends to a continuous 
mapping res: F(27, D) — t (7^(7?), 3) defined by res(r, if) = res(r) U if. □ 
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2.3 Alphabetic Mappings 

The results presented in this section are new. They are useful for the denotational 
semantics of our parallel composition operator. 

Let res : S — ^ V{TZ) and res' : S' — ^ V{TZ) be two resource maps and let D 
and D' be the associated dependence relations over the alphabets S and S'. 

Let If : S ^ be an alphabetic mapping such that res'((p(a)) C res(a) 

for all a £ S. We extend f to real traces: If r = [V,E,X] £ M.{S,D), then we 
define f(r) = [V',E',\'] hj V = {e £ V \ f o \[e) 1}, A' = foX and 

E' = E C\ X' ^{D') = {(e, f)£E\ A'(e) D' A'(/)}. The mapping f is said to be 
non-erasing if f{a) 1 for all a £ S. 

Proposition 2. 

1. f : (M(A\ D),-) -£ (R(A', 19'), •) is a morphism. 

2. If : (R(i7, 19),<) — ^ (R(i7', 19'), <) is continuous. 

We now extend f to a. mapping over resource traces of F(i7, 19) simply by 
defining f(r,R) = (f{r),R). Since res'((p(a)) C res(a) for all a £ S, we deduce 
that resinf'((p(r)) C resinf(r) C R and so [f[r),R) is a resource trace over S'. 
Hence, f : F(A, 19) — ^ F(A', 19') is well defined. 

Proposition 3. 

1. f : (F(il, 19), C) — ^ (F(il', 19'), C) is continuous. 

2. If res' [f [a)) = res(a) (Va € S), then f : (F(il, 19),-) — ^ (F(il', 19'), •) is a 

non- erasing morphism. □ 



3 The Language 



In this section we introduce a simple parallel programming language. We begin 
once again with a finite set S of atomic actions, a finite set IZ of resources, and 
a mapping res: S -£ V{IZ) which assigns to each a £ S a non-empty set of 
resources. We view res(a) as the set of resources - memory, ports, etc. - that 
the action a needs in order to execute. Two actions a,b £ S may be executed 
concurrently if and only if they are independent - i.e. iff they do not share any 
resource. We define the BNF-like syntax of the language C we study as 



where 



p ::= STOP | a \ pop \ p\u | p||p | x \ recx.p 

c 



— STOP is the process capable of no actions but claiming all resources; it is 
full deadlock. 

— a £ S denotes the process which can execute the action a and then terminate 
normally. 

— poq denotes the weak sequential composition of the two argument processes 
with the understanding that independent actions commute with one another: 
aob=boaifa,b£l. We call o weak sequential composition because it 
enforces sequential composition of those actions which are dependent, while 
allowing those which are independent of one another to execute concurrently. 
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— p\ji denotes the process p with all resources restricted to the subset R C TZ. 
Only those actions a from p can execute for which res(a) C R; all other 
actions are disabled. 

— p\\q denotes the parallel composition of the component processes, synchro- 

c 

nizing on all actions a which satisfy res(a) fi G 0, where C C TZ. Those 
actions from either component which do not have any resources in common 
with any of the actions in the other component nor any resources lying in C 
are called local and can execute independently. Since our semantics is deter- 
ministic, this process can only make progress as long as there are no actions 
from either component that use resources that some action from the other 
component also uses, except in the case of synchronization actions. If this 
condition is violated, the process deadlocks. 

— X € P is a process variable. 

— recx.p denotes recursion of the process body p in the variable x. 

One of the principal impetuses for our work is the desire to understand the 
differences between parallel composition, choice and nondeterminism. Histori- 
cally, nondeterministic choice arose as a convenient means with which to model 
parallel composition, namely, as the set of possible interleavings of the actions 
of each component. We avoid nondeterminism, and in fact our language is deter- 
ministic. But we still support parallel composition - that in which the actions 
of each component are independent. 

A parallel composition involves choice whenever there is a competition bet- 
ween conflicting events. Since we use a truly concurrent semantic domain, our 
events are not necessarily conflicting and we can consider a very natural and im- 
portant form of cooperative parallel composition which does not require choice 
or nondeterminism. Each process consists of local events which occur indepen- 
dently of the other process and of synchronization events which are executed 
in matching pairs. These synchronization events may introduce conflict when 
the two processes offer non-matching synchronization events. Since nondetermi- 
nistic choice is unavailable, conflicting events result in deadlock in our parallel 
composition. Note that this situation does not occur in a cooperative parallel 
composition, e.g. in a parallel sorting algorithm. 

We view the BNF-like syntax given above as the signature, J? = of 

a single sorted universal algebra, where the index n denotes the arity of the 
operators in the subset J?„. In our case, we have 
Nullary operators: J?o = {STOP} U P U V , 

Unary operators: = { — |_k | R Q TZ} U {recx.— | x € V}, 

Binary operators: J?2 = {°} U { || \ C (1 TZ}, and 

G 

fin = 0 for all other n; 

then C is the initial fi-algehra. This means that, given any J7-algebra A, there 
is a unique J7-algebra homomorphism <pA'. C ^ A, i.e., a unique compositional 
mapping from C to A. 
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4 The Resource Mapping 

In this section we define the resources which may be used by a process p <E £.. This 
is crucial for defining the operational semantics of weak sequential composition 
and of parallel composition. We extend the mapping res: U — ^ V{TZ) to the 
full language C with variables and recursion. In order to define the resource set 
associated with a process with free variables, we use a resource environment, a 
mapping ct : P — ^ V{TZ) assigning a resource set to each variable. Any resource 
environment a G V{TZ)^ can be locally overridden in its value at x: 

(t[x I— t R\[y) = R, if y = X, and (t[x hg R]{y) = <j[y), otherwise, 
where R G V{TZ) is any resource set we wish to assign at x. 

Now, we define inductively the resources of a process p G £ in the resource 
environment a G V{TZ)^ by: 

— res(STOP,cj) = TZ, 

— res(a,(r) = res(a) for all a £ S, 

— res(p|ii, a) = res(p, a) C\ R for all R CTZ, 

— res(p o (/, cr) = res(p, (t) U res((/, cr), 

— res(p II q, a) = res(p, a) U res(</, a), 

G 

— res(x,(r) = a[x) for all x <^V , 

— res(recx.p, ( t) = res(p, ( t[x hG 0]). 

For instance, we have res(STOP|/i, a) = R, res(recx.(aoxo6, a)) = res(a)Ures(fe) 

and res((recx.(x o a)) || (recj/.(feo j/))) = res(a) U res(fe). 

G 

It is easy to see that the map res(p, — ) : (T(7?,),N)^ — ^ (T(7?,),N) is con- 
tinuous for each process p G £. A crucial result concerning the resource map 
states that the definition of recursion is actually a fixed point. 

Proposition 4. Let p £ £. be a process and a G V[TZ)^ be a resource environ- 
ment. Then, res(recx.p,a) is the greatest fixed point of the mapping 

res(p,o-[x HG -]) : (P(7^),D) ^ (P(7^),D). □ 

In fact, we can endow the set of continuous maps [PfifZY T(7?.)] with 
a structure of a continuous J7-algebra. The constants STOP and a [a e U) 
are interpreted as constant maps a i-g- TZ and a i— ^ res(a), the process x is 
interpreted as the projection a i— t cr(x), restriction is intersection with R, the 

two compositions o and || are union, and finally, recursion recx is the greatest 

G 

fixed point: it maps / G [PfilZY T’fiJZ)] to the mapping a i— ^ (z/i?./(cj[x i— ^ 
R])). With this view, the mapping p i— ^ res(p, — ) is the unique J7-algebra map 
from £ to [P(7^)^ ^ T(7^)]. 

We use p[q/x] to denote the result of substituting q for the variable x in p. 
We now show how to compute the resource map at the process p[q/x] in terms 
of the resource map at p. 

Lemma 1. Let p, q £ C be two processes and a G 'PfiJZY ie a resource environ- 
ment. Then 



res(p[(//x], (t) = res(p, (t[x h- ^ res(</, cr)]). 



□ 
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5 Operational Semantics 



In this section we present an operational semantics for all terms p G £, even those 
with free variables. This is necessitated by our use of something other than the 
usual least fixed point semantics of recursion that domain theory offers. The 
reason for this will be clarified later on - for now, we confine our discussion to 
presenting the transition rules for our language, and deriving results about the 
resulting behavior of terms from C under these rules. The key is to use environ- 
ments. We rely on the mappings (i:V^ V{TZ) to aid us, and so our transition 
rules tell us what next steps are possible for a term in a given environment a. 

We must make an additional assumption to define our transition rules. We 
are interested in supporting synchronization over a set C CTZ which we view as 
the channels over which synchronization can occur. We therefore assume that 
the alphabet U has a synchronization operation ||: if x if — ^ if that satisfies 
res(ai||a2) = res(ai) U res(a2) for all {01,02) € if^. Moreover, for pi,p2 G £, 
CT G 'P{TZ)^ and C C TZ we define the set Sync^ ^ (pi , P2 ) of pairs {01,02) G if^ 
such that 



res(ai) n res{p2,(i) = res(a2) n res(pi, cr) = res(ai) C\C = res(a2) n C 7^ 0 . 

Sync^ ^(pi,P2) consists of all pairs which may be synchronized in p\ ||p2- We 
’ c 

present the transition rules which are the basis for the operational semantics for 

our language C in Table 1 below. We denote by SKIP the process STOP|0. 

We need a number of results about the rules in Table 1 before we can define 
the operational behaviour of a term p G £. Some of the results presented here are 
easier to prove once we have defined the denotational semantics of our language 
in the following section, but we have chosen to state the results now to improve 
the readability of the presentation. 



Proposition 5 . In the following, p,p',p" G £ are processes, a G V{TZ)^ is a 
syntactic environment, x £V , and s G if* . 



1 . p p' implies res{p,a) = res{p',a) Ures(s). 

2 . p £% p' and p £% p" imply p' = p". 

a a 

3. If a b then p ££ p' and p — > p" imply alb and 3 p"' G £ with p' 
and p" ££ p"' . 

a 

f. If olb thenp ££ p' andp' p" imply 3 p"' G £ withp p'" andp'" 



b 



P 



III 



Proposition 5 ( 2 ) means that our transition system is deterministic. Adding 
Proposition 5 ( 3 ), we know that it is strongly locally confluent, whence Church- 
Rosser. Since we want a truly concurrent semantics, it should be possible for a 
process to execute independent events concurrently - i.e., independently. This is 
reflected by Proposition 5 ( 4 ) in our transition system. From this we derive by 
induction 
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( 1 ) 

(2a) 

(3) 

(4a) 

(4b) 

(4c) 

(5) 



SKIP 

(J 

a / 

Pi Pi 



Pi op2 ^ pi O P2 

(7 

p p' , res(o) C R 



(2b) 



P2 



P 2 , res(a) PI res(pi, cr) = ( 



Piop2 — ^ Pi o p'2 



p\r a p'\r 

' (T ' 

Pi A Pi, res(a) PI (res(p 2 , cr) U C) = ( 

^ 

Pi \\ P2 A p'l II P2 

C C 

P 2 A P 2 ) res (a) P (res (pi, cr) U (7) = 



Pi \\P2 

c 



- Pi WP '2 



Pi A pi, P2 Api, (01,02) e SynCc^(pi,P2) 

^ ^ ( 

Pi II P 2 p'l II Pi 

c c 

a 

p ^ p' , a' = cr[a; 1 — res(recai.p, cr)] 

CT 

recx.p A p'[reca;.p/a;] 



Table 1. The Transition Rules for £ 



CorollEiry 1. Let u,v <E S* with u = v. Then p A q ijf p A q. Hence p A q 

(T (T (T 

is well-defined for finite traces s € M(i7, D) . □ 

In an interleaving semantics, the possible operational behaviors of a process 
p in the environment a G V{TZ) would consist of the set 

Xs*{p,o-) = {ue X* \3q e C,p A q}. 

Thanks to Corollary 1, we actually can define the possible concurrent behaviors 
as 

Xm{p, cr) = {te M( A, D) \ 3q e £.,p ^ q}. 

But, knowing only a possible real (finite) trace that can be executed does not 
allow us to know how the process can be continued or composed with another 
process. Hence we need to bring resources into the picture, and so we define the 
resource trace behaviors by 

Xr{p,a) = {{s,res{q,a)) € F | € £.,p A q}. 

The meaning is that (s, S) G Ar(p, cr) if p can concurrently execute the trace s 
and then still claim the resources in S. 
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Actually, we can prove that the set Af(p, ci) is directed. The interpretation 
is that p has a unique maximal behavior in the environment a which is the least 
upper bound of Xf[p,a): Bf[p,a) = UAif(p, ci). This is exactly what tells us 
that our semantics of parallelism does not involve nondeterministic choice. 

6 Denotational Semantics 

The denotational semantics for our language takes its values in the family ^ 
F] of continuous maps from to the underlying domain F = F( A, D) of resource 
traces. As was the case with the resources model of Section 4, the semantics of 
a finitary process (i.e., one without variables) p € £ is a constant map, which 
means it is a resource trace. More generally, the semantics of any closed process 
p € £ is simply a resource trace. But, as in the case of the semantics based on 
the mapping res : A — ^ V{TZ), in order to give the semantics of recursion, we also 
have to consider terms with free variables. 

We begin by defining the family of semantic environments to be the mappings 
a: V — t F, and we endow this with the domain structure from the target domain 
F, regarding F^ as a product on V -copies of F. The semantics of an arbitrary 
process p € £ is a continuous map from F^ to F, and the semantics of a recursive 
process recx.p is obtained using a fixed point of the semantic map associated 
with p. 

We obtain a compositional semantics by defining the structure of a conti- 
nuous J?-algebra on [F^ — ^ F]. We define the interpretations of constants and 
variables in [F'^ — t F] directly, but for the other operators except recursion, we 
instead define their interpretations on F, and then extend them to [F^ — ^ F] 
in a pointwise fashion. This approach induces on [F^ — ^ F] the structure of a 
continuous J?-algebra (cf. [1]). Recursion needs a special treatment since we do 
not use the classical least fixed point semantics as explained in Section 6.5. 

6.1 Constants and Variables 

The denotational semantics of constants and of variables are defined by the 
maps: 



ISTOP] G [F^ ^F] by |STOP](ct) = (l,7^) 

H € [F'" -tF] by [a](cr) = (a,0) 

M e [F^ -t F] by [x](o-) = a{x) 

The first two clearly are continuous, since they are constant maps. The last 
mapping amounts to projection of the element a G F^ onto its x-component, and 
since we endow F^ with the product topology, this mapping also is continuous. 

6.2 Weak Sequential Composition 

We define the semantics of weak sequential composition using the following result 
about the concatenation of resource traces. 

Proposition 6 ([4]). Concatenation over resource traces is a continuous ope- 
ration. Moreover, res(xi • X2) = res(xi) Ures(x 2 ) for all {xi,X2} G F^. □ 
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The denotational semantics of o is then defined by: 

o: ^F] by {fi o h){a) = ■ h{a). 

6.3 Restriction 



For restriction and parallel composition, we need to define new operations on 
traces that have not been introduced so far. We start with restriction, which 
we obtain as the composition of two continuous maps. Let i? C 7?, be a fixed 
resource set. We first introduce 



Fr = {x e F I res(Re(x)) C R}, 

the set of resource traces whose real parts use resources from R only. Note that 
if some set X C F/j is pairwise consistent in F, then its sup in F exists and 
actually belongs to F^. Therefore, F/i is also a consistently complete domain. 
Recall also that t^ = {j/€F|xCj/} denotes the upper set of x € F. Now we 
define 

/:F-tFij by x U{y e Fi^ | y C x}, 

and 



and finally. 



g : Fii — ^ t(f, R) C F by (s, S) i— ^ (s. S' fi R), 



|ii = y o / : F -t F. 

Note first that all these mappings are well-defined. Indeed, the set T = {y G 
F_k I y E 3^} is bounded above in F, so its sup exists and belongs to F/^. To 
show that g is well-defined, one only has to observe that resinf(s) C SfiR when 
(s, S) G Fij. Therefore, is well-defined, too. 



Proposition 7. The mapping : F — t F defined hy x\r = g o f(x) is conti- 
nuous. Moreover, we have res(x|/j) = res(x) fi R for all x G F. □ 



From this, we obtain the semantics of the restriction operator by 
U: [F'^ ^F] by (/U)(a) = /(a)|^. 

6.4 Prirallel Composition 



We require some preliminary definitions and results before we can define the 
parallel composition of resource traces. We use the results from Section 2.3 to 
define the semantics of this operation. Recall first that we assumed the existence 
of a parallel composition over actions of the alphabet: || : t X that satisfies 

res(ai||a 2 ) = res(ai) Ures(a 2 ) for all ( 01 , 02 ) € The action Oi||o 2 represents 
the result of synchronizing oi and 02 in a parallel composition. 

We introduce the alphabet X' = (27 U {1})^ \ {(1, 1)} with the resource map 
res'(oi, 02 ) = res(oi) Ures(o 2 ) and the associated dependence relation D' . Then 
we consider the sets K(27', D') and F(27', D') of real traces and of resource traces 
over the resource alphabet res' : X' — ^ V{TZ). We define the alphabetic mappings 



Ri : 27' — t 27 U { 1 } by iTi (oi , 02 ) = o^ , i = 1 , 2 and 

R : 27' — t 27 by R(oi, 02 ) = oi||o 2 . 
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where we set a||l = l||a = a. Note that res(iTj(ai, a2)) C res'(ai,a2), i = 
1 , 2 , and res( 77 (ai, 02)) = res'(ai,a2)- Therefore, the three mappings extend 
to continuous morphisms over real traces (Proposition 2 ) and to continuous 
maps over resource traces. Moreover, U also is a morphism of resource traces 
(Proposition 3 ). 

We consider a subset (7 C 7 ?, of resources on which we want to synchronize; we 
call these resources channels. We fix two resource traces Xi = (s^, Ni) and X2 = 

(s2, S2) of F(N, D) and we want to define a resource trace x\ || X2 which repre- 

c 

sents the parallel composition of Xi and X2 with synchronization on the channels 
of G . We first define a resource trace (p(xi, X2) € F(N', D') which represents the 

parallel composition of x\ and X2- Then we set x\ || X2 = 77 ((p(xi, X2)). Since the 

G 

mapping II is continuous, in order to obtain a continuous semantics for parallel 
composition, we only need to show that the mapping (p : F(N, 17 )^ — t F(N', D') 
is continuous as well. 

In analogy to the set Sync^ ,^(pi,P2) for terms Pi,P2 € £, given resource 
traces Xi = (s^. Si), i = 1 , 2 , we can define the synchronization set Sync^(xi, X2) 
as the set of pairs [01,02) € Alph(si) x Alph(s2) satisfying 

res(ai) C\G = res(a2) DC = res(ai) fi res(x2) = res(a2) fl res(xi) ^ 0. 

Then the set Gq[xi,X2) of actions which may occur in cp[xi,X2) is defined as 

S'q[xi,X2) = {(tti, 1 ) e Alph(si) X { 1 } I res(ai) n (C U res(x2)) = 0 } 

U {(1, tt 2 ) G {1} X Alph(s 2 ) I res(tt 2 ) n (G U res(xi)) = 0} 

U Synccr_^(xi,x 2 ). 

The first two sets in this union correspond to local events: these should not use 
any channel on which we want to synchronize (res(ai) DC = 0 ). In addition, 
the condition res(ai) fi res(x2) = 0 implies that a local event does not conflict 
with any event of the other component, which ensures parallel composition does 
not involve nondeterministic choice. The set Sync^ ,^(xi, X2) corresponds to syn- 
chronization events. In order to synchronize, two events must use exactly the 
same channels and, in order to assure determinism, neither should conflict with 
resources of the other component. 

Now we introduce the set 

Xc[xi,X2) = {{t,T) G F(A’', D') I Alph(f) C Xq[xi,X2) and 

ni[t, T) C Xi for i = 1 , 2 } 



Proposition 8. The set Acr(xi, X 2 ) has a least upper hound x = [r, R) given hy 

r = U{r G R{Sc{xi,X 2 )) \ IIi[r) < Si for i = 1,2}, 
if = Ni U N2 U res(rf ^si) U res(r2^^S2), where ri = IIi[r). 

Moreover, Xc[xi,X 2 ) = fx and res(x) = res(xi) U res(x2). □ 
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Proposition 9. The mapping cp: F(A, ¥{U' , D') defined by p[xi,X 2 ) = 

\JXc{xi,X 2) is continuous. □ 

As announced earlier, we define the semantics of parallel composition by 

II = n o (f and the above results imply: 

c 

Corollriry 2. || : F(A,L))^ — ^ F(A, 12 ) by xi \\x 2 = (17 o(p)(xi,X2) is conti- 
c c 

nuous. Moreover, res(xi || X2) = res(xi) Ures(x2) for all {xi,X2} € F^. □ 

c 

The semantics of parallel composition is defined by 

II : [FT-^F] 2 ^[F^^F] by (A || /2)(cr) = /i(a) || ^(o). 

c c c 

6.5 Recursion 

In order to have a compositional semantics for recursion, we need to define for 
each variable x € P an interpretation recx : [F^ — ^ F] — ^ [F^ — ^ F], and then 
we will set |recx.p] = recx.[p]. For / € ^ F], recx.f will be defined as a 

fixed point of a continuous selfmap from F to F, but we do not use the classical 
least fixed point semantics. Indeed, for the process recx.(a ox), the least fixed 
point semantics would give ,TZ) which claims and blocks unnecessarily all 
resources. Instead, the semantics should be (a“,res(a)) which claims only the 
resources needed for its execution. To obtain this semantics, we have to start 
the fixed point computation with (l,res(a)), which is the least element of the 
subdomain in which our computation is taking place. We describe our approach 
in some detail now. Fixing a variable x G F, we first define the maps 

93: [F^ ^F] xF^ ^ [F^F] by (AA^F/,^ 

V>: ^FIxF'^ ^[(A( 7 ^),D)^(A( 7 ^), 3 )] by 



where 



A/, <7(2/) = /(cr[x HGy]), 

V'/,(t( 7 ^) = res(/(o-[x hG (l,if)]))- 

Proposition 10. The two maps cp and if are well-defined and continuous. □ 

For a € F^, we define [rec x.f)[a) as a fixed point of the continuous map 
Pf,a- Instead of using the least fixed point of Pf,a, we start the iteration yielding 
the fixed point from a resource trace _L which depends on / and a. 

We define the mapping R: [F^ — ^ F] x F^ — ^ V{TZ) by (/, cr) hg Rf „ = 
FIX('i/'/,(r) which assigns to each pair (/, cr) the greatest fixed point of the mo- 
notone selfmap 'tff,a- The starting point for the iteration is simply the resource 
trace _L f^a = (1, Rf,cr)- Therefore, we also have a mapping _L : [F^ — ^ F] X F^ — ^ 
F by (Act) hg = ( 1 ,%^)- 

Lemma 2. The maps R : [F^ — ^ F] x F^ — ^ V{TZ) and T : [F^ — ^ F] x F^ — ^ F 
are continuous. □ 
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We define the semantics of recursion by 

recx: -t F] -t -t F] by / recx.f : a ^ U„>o 

Proposition 11. The mapping rec x : [F^ — ^ F] — t [F^ — ^ F] is well defined and 
continuous. □ 

6.6 Summriry 

We have dehned our denotational semantics as a compositional mapping |— ] : L — > 
[F^ — t F]; the work in this section has validated that such a mapping exists, 
since C is the initial J7-algebra, and we have given a continuous interpretation 
in [F^ — t F] for each of the operators cj G J? in the signature of our language. To 
summarize, the semantics of a process p G £ is the continuous map [p] defined 
inductively by: 

[ST0Pl(o) = (l,7^) 

[a](o-) = (a,0) 

|x1(ct) = (j[x) 

|recx.p]((r) = (recx.[p])((r) 

7 The Main Theorem 

In this section we complete the picture by showing the relationship between the 
operational and denotational models for our language. 

To begin, we relate the semantic resources of a process to the syntactic re- 
source of the process. The semantic resource set of the process p G £ in some 
environment u G F^ is given by res([p]((j)). In order to relate this semantic 
resource set to the syntactic resource set defined in Section 4, we introduce the 
map res^ : F^ — ^ VfR)^ by res^((r)(x) = res((r(x)). 

Proposition 12. Let p G £ and, a G F^, t/ien, res([p](cj)) = res(p, res^(cj)). □ 

The following result is the key lemma for the main theorem. It requires an 
extended sequence of results to derive. 

Proposition 13. Let p, (/ G £, a G if, cr G F^ and r G ViJZ)^ . Then 
P resV) ^ ^ = 

= ^ P ^ q- □ 

Using the above proposition, we can show that each possible operational 
behavior of p in some environment a G V{TZ)^ corresponds to some compact 
resource trace below |p]((r), and, conversely, that each compact resource trace 
below IpKc) approximates some operational behavior of p in a. 



[pogl(o-) = [pI(o-) • [g](CT) 
|p|Jgl(u) = [pl(u)|jM(u) 

bUl(c^) = (bl(c^))U 

^ I I Tlpl^cr{-^lp\,a) ■ 

n>0 
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More precisely, in order to relate the operational and the denotational seman- 
tics, we use the mapping y : F — ^ P(/L(F)) defined by y(x) = {(s, S) € /L(F) | 
s < X, S = res(s^^ • x)}. Note that for all x € F we have y(x) C /C(x) C 
and therefore y(x) is directed and Ux(x) = x. 

Theorem 1. For all p <E £. and a <E V{'R)^ , we have 

Xf{p,a) = x(bl(c^)) 

and therefore = |p](ct). It follows directly tha,t the denotational seman- 

tics [— ] is adequate with respect to the operational semantics defined hy Am; by 
Af or by Bf. 



8 Closing Remarks 

We have presented a simple language that includes a number of interesting opera- 
tors: weak sequential composition, deterministic parallel composition, restriction 
and recursion. We also have presented a theorem relating its operational seman- 
tics to its denotational semantics and implying adequacy. The novel feature 
of our language is that the semantics of parallel composition does not involve 
nondeterministic choice, as in other approaches. We believe this language will 
have some interesting applications, among them the analysis of security pro- 
tocols (where determinism has proved to be an important property) and model 
checking, where trace theory has been used to avoid the state explosion problem. 
We are exploring these applications in our ongoing work. 

What remains to be done is to expand the language to include some of the 
missing operators from the usual approach to process algebra. Chief among these 
are the hiding operator of CSP and a choice operator. 
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Abstract. Essential concepts of algebraic specification refinement are 
translated into a type-theoretic setting involving System F and Reynolds’ 
relational parametricity assertion as expressed in Plotkin and Abadi’s 
logic for parametric polymorphism. At first order, the type-theoretic set- 
ting provides a canonical picture of algebraic specification refinement. 
At higher order, the type-theoretic setting allows future generalisation 
of the principles of algebraic specification refinement to higher order and 
polymorphism. We show the equivalence of the acquired type-theoretic 
notion of specification refinement with that from algebraic specification. 
To do this, a generic algebraic-specification strategy for behavioural re- 
finement proofs is mirrored in the type-theoretic setting. 



1 Introduction 

This paper aims to express in type theory certain essential concepts of algebraic 
specification refinement. The benefit to algebraic specification is that inherently 
first-order concepts are translated into a setting in which they may be generalised 
through the full force of the chosen type theory. Furthermore, in algebraic spec- 
ification many concepts have numerous theoretical variants. Here, the setting of 
type theory may provide a somewhat sobering framework, in that type-theoretic 
formalisms insist on certain sensibly canonical choices. 

On the other hand, the benefit to type theory is to draw from the rich source 
of formalisms, development methodology and reasoning techniques in algebraic 
specification. See [7] for a survey and comprehensive bibliography. One of the 
most appealing and successful endeavours in algebraic specification is that of 
stepwise specification refinement, in which abstract descriptions of processes and 
data types are methodically refined to concrete executable descriptions, viz. pro- 
grams and program modules. In this paper we base ourselves on the description 
in [31,30], and we highlight three essential concepts that make this account of 
specification refinement apt for real-life development. These are so-called con- 
structor implementations, behavioural equivalenee and stability. We will express 
this refinement framework in a type-theoretic environment comprised of Sys- 
tem F and the assumption of relational parametricity in Reynolds’ sense [27,18], 
as expressed in Plotkin and Abadi’s logic for parametric polymorphism [24]. 
Abstract data types are expressed in the type theory as existential types. 

The above concepts of specification refinement fall out naturally in this set- 
ting. In this, relational parametricity plays an essential role. It gives the equiv- 
alence at first order of observational equivalence to equality at existential type. 
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In algebraic specification there is a generic proof strategy formalised in [6,4,5] 
for proving observational refinements. This considers axiomatisations of so-called 
behavioural (partial) congruences. As also observed in [25], Plotkin and Abadi’s 
logic is not sufficient to accommodate this proof strategy. Inspired by [25], we 
choose the simple solution of adding axioms stating the existence of quotients 
and sub-objects. This is justified by the soundness of the axioms w.r.t. the para- 
metric PER-model [3] for Plotkin and Abadi’s logic. In this paper we import the 
proof strategy into type theory to show a correspondence between two notions 
of refinement. But this importation is also interesting in its own right, and our 
results complement those of [25] in that we consider also partial congruences. 

Other work linking algebraic specification and type theory includes [17] en- 
coding constructor implementations in ECC, [26] expressing module-algebra 
axioms in ECC, [23] encoding behavioural equalities in UTT, [2] treating the 
specification language ASL-I-, [35] using Nuprl as a specification language, and 
[34] promoting dependent types in specification. Only [25] utilises relational 
parametricity. There are also non-type-theoretic higher-order approaches using 
higher-order universal algebra [20], and other set-theoretic models [16]. 

The next section outlines algebraic specification refinement, highlighting the 
three essential concepts above. Then, the translation of algebraic specification 
refinement into a System E environment is presented, giving a type-theoretic no- 
tion of specification refinement. The main result of this paper is a correspondence 
at first-order between algebraic specification refinement and the type-theoretic 
notion of specification refinement. This sets the scene for generalising the refine- 
ment concepts now implanted in type theory to higher order and polymorphism. 

2 Algebraic Specification Refinement 

Let U = (S', J?) be a signature, consisting of a set S of sorts, and an S* x S- 
sorted set J? of operator names. We write profiles f : si x ■ ■ ■ x Sn s <E 
meaning / G s. A A-algebra A = ((A)g£s,L’) consists of an S-sorted 

set (A)s£s of non-empty carriers and a set F containing a total function G 
(Asj X • • • X As^ As) for every /: si x • • • x s„ ^ s G J7. The class of A-algebras 
is denoted by AAlg. Given a countable S-sorted set X of variables, the free 
A-algebra over X is denoted Tj]{X) and for s G S the carrier Tj]{X)^ contains 
the terms of sort s. We consider sorted first-order logic with equality. A formula 
(/7 is a A-formula if all terms in cp are of sorts in S. Let # be a set of closed 27- 
formulae. Then SP = {X,<P) is a basic algebraic specification, and its semantics 
|5P] is Modsi'P), class of A-algebras that are models of <P. 

Example 1. The following specification specifies stacks of natural numbers. 

spec Stack is 
sorts nat, stack 

operators empty : stack, push : nat x stack ^ stack, 
pop : stack ^ stack, top : stack ^ nat 
cLxioms ^’stack : pop(push(x, s)) = s 
top(push(x, s)) = X 
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We omit universal quantification over free variables in examples. The semantics 
of a data type (in a program) is an algebra. Wide-spectrum specification lan- 
guages e.g. Extended ML [14], allow specifications and programs to be written 
in a uniform language, so that specifications are abstract descriptions of a data 
type or systems of data types, while program modules and programs are con- 
crete executable descriptions of the same. A refinement process seeks to develop 
in a sound methodical way the latter from the former, and a program is then 
a full refinement or realisation of an abstract specification. The basic definition 
of refinement we adopt here is given by the following refinement relation on 
specifications of the same signature [30,32]: SPj'^ SPj+i I'5'Ej] A [‘S'Pj+i]. 

There are two indispensable refinements as it were, of the refinement relation. 
One introduces constructors, the other involves behavioural abstraction. 

A refinement process involves making decisions about design and implemen- 
tation detail. At some point a particular function or module may become com- 
pletely determined and remain unchanged throughout the remainder of the re- 
finement process. It is convenient to lay aside the fully refined parts and continue 
development on the remaining unresolved parts only. Let k be a parameterised 
program [9] with input interface ■S'Pj+i and output interface SPj. Given a pro- 
gram P that is a full refinement of SPj+i, the instantiation k{P) is then a 
full refinement of SPj. The semantics of a parameterised program is a function 
|k] G (A’sp^.^^Alg ^ Asp Alg) called a construetor. Construetor implementa- 
tion is then defined [30] as SPj "p SPj^i [‘S'Pj] A IkKIPEj+i]). The pa- 
rameterised program k is the fully refined part of the system which is set aside, 
and SP j+i specifies the remaining unresolved part that needs further refinement. 

A major point in algebraic specification is that an abstract specification really 
is abstract enough to give freedom of implementation. The notion of behavioural 
abstraetion captures the concept that two programs are considered equivalent if 
their observable behaviours are equivalent. Algebraically one assumes a desig- 
nated set Obs C S' of observable sorts, and a designated set In Q S of input sorts. 
Observable computations are represented by terms in for s G Obs and 

where = Xg for s <E In and 0 otherwise. Two A-algebras A and B are ob- 
servationally equivalent w.r.t. Obs, In, written A =obs,in B, if every observable 
computation has equivalent denotations in A and B [29]. However, the seman- 
tics |SP] is not always closed under behavioural equivalence. For example, the 
stack-with-pointer implementation of stacks of natural numbers does not satisfy 
pop(push(x, s)) = s and is not in [Stack], but is behaviourally equivalent w.r.t. 
Obs = In = {nat} to an algebra that is. To capture this, one defines the se- 
mantics |5P|o6s,7n — {B I 3A G |5P| . B =obs,in A}, and defines refinement 
up to behavioural equivalenee [30] as {SPj, Obs, In) 'p {SPjj^i,Obs',In') 
lSPjlobs,in 2 Md^Pj+ilofesq/nO- Why do we want designated input sorts? 
One extremal view would be to say that all observable computations should be 
ground terms, i.e. proclaim In = $. But that would be too strict in a refinement 
situation where a data type depends on another as yet undeveloped data type. 
On the other hand, letting all sorts be input sorts would disallow intuitively fea- 
sible behavioural refinements as illustrated in the following example from [10]. 
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Example 2. Consider the following specification of sets of natural numbers. 

spec Set is 
sorts nat,set 

operators empty : set, add : nat x set ^ set 

in : nat x set ^ bool, remove : nat x set ^ set 
cLxioms add(x, add(x, s)) = add(x,s) 

add(x,add(y, s)) = add(j/,add(x, s)) 
in(x, empty) = false 

in(x,add(y, s)) = if x =nat V then true else in(x, s) 
in(x, remove(x, s)) = false 

Consider the ifset-algebra Listlmpl (LI) whose carrier LI set is the set of finite 
lists over the natural numbers; empty^^ gives the empty list, add^^ appends a 
given element to the end of a list only if the element does not occur already, in^^ 
is the occurrence function, and remove^^ removes the first occurrence of a given 
element. Being a i7set-algebra, LI allows users only to build lists using empty^^ 
and add^^, and on such lists the efficient remove^^ gives the intended result. 
However, II ^ |Set|o6s,/n, for Obs = {bool, nat} and In = (set, bool, nat}, 
because the observable computation in(x, remove(x, s)) might give true, since s 
ranges over all lists, not only the canonical ones generated by empty^^ and add^^. 
On the other hand, II € |Set|o6s,/n for In = Obs = {bool, nat}, since now the 
use of set-variables in observable computations is prohibited. O 

In this example, the correct choice was In — Obs. In fact In = Obs is virtually 
always a sensible choice, and a very reasonable simplifying assumption. 

Behavioural refinement steps are in general hard to verify. A helpful concept is 
stability [33]. A constructor |k] is stable if A=obs',in' H => I'^l(dl) =obs,in |k](H). 
Under stability, it suffices for proving {SPj, Obs,In) "A {SPj+i, Obs' ,In'), to 
show that fSPjJobsjn 2 |k](|5Pj+i]). The following contrived but short ex- 
ample from [31] illustrates the point. See e.g. [33] for a more realistic example. 



Example 3. Consider the specification 

spec Triv is 
sorts nat 

operators id : nat x nat x nat ^ nat 
cLxioms ^>Triv : id(x,n, z) = x 

Define the constructor Tr e (AstackAlg ^ AyrivAlg) as follows. For A e AstackAlg, 
define multipush € (N x N x A ^ A) and multipop € (N x A ^ A) by 

multipush An, z, a) = ,4, ^ 1 ^ 

{push {z,mulhpushj^{n — l,z + l,a)), n>0 

multipop a) | pop'^(a)), n > 0 

Then Tr(A) is the Triv-algebra whose single operator is given by 
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id{x, n, z) = top^ {multipop ^{n, multipush ^^{n, z, push'^(x, empty^)))). 

We have |Triv|{nat},/n 2 7’^(|Stack|{nat},/n)) but to prove this only assuming 
membership in |Stack|{nat| is not straight-forward. However, Tr is in fact 
stable. So it suffices to show |Triv|{nat},fc 2 T^dStack]), and the proof of this 
is easy [31]. In particular, one may now hold pop(push(x, s)) = s among ones 
assumptions, although this formula is not valid for |Stack|{nat| O 

One still has to prove the stability of constructors. However, since constructors 
are given by concrete parameterised programs, this can be done in advance for 
the language as a whole. A key observation is that stability is intimately related 
to the effectiveness of encapsulation mechanisms in the language. 

Example 4 ([31]). Consider the constructor Tr' e (A’stackAlg ^ AjrivAlg) 
such that Tr'{A) is the Triv-algebra whose single operator is given by 

„ rf - pop'^(push^(z,empty'^)) = empty'^ 

ia{x,n,z)-<^^^ otherwise 

Then for A the array-with-pointer algebra, we get Tr' {A) ^ pV’iu|{nat},/n and 
so |Triv|{nat},/n 2 ^?'^(|Stack|{nat},/n)- Tr' is not stable, and Tr' breaches the 
abstraction barrier by checking equality on the underlying implementation. O 

Algebraic specifications may be complex, built from basic specifications using 
specification building operators, e.g. [36,32,37]. But as a starting point for the 
translation into type theory, we only consider basic specifications. 

3 The Type Theory 

We now sketch the logic in [24,19] for parametric polymorphism on System F. It 
is this accompanying logic that bears an extension rather than the type theory. 
See [1] for a more internalised approach. System F has types and terms as follows. 

T ::= X 1 "i' ^ T \ \/X.T t x \ Xx:T.t \ tt \ AX.t \ tT 

where X and x range over type and term variables resp. However, formulae are 
now built using the usual connectives from equations and relation symbols. 

(j) ::= {t =A u) \ R{t,u) ] • • • ] yRcAxB.(f> \ 3Rc Ax B .(f> 

where R ranges over relation symbols. We write a[R,X,x] to indicate possi- 
ble occurrences of R, X and x in a, and may write a[p,A,t] for the result of 
substitution, following the appropriate rules concerning capture. 

Judgements for type and term formation and second-order environments with 
term environments depending on type environments, are as usual. But formula 
formation now involves relation symbols, so second-order environments are aug- 
mented with relation environments, viz. a finite sequence T of relational typings 
RgAxB of relation variables, depending on the type environment, and obeying 
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standard conventions for environments. The formation rules for atomic formulae 
consists of the usual one for equations, and now also one for relations: 

rht.A, r^u:B, ThT, ThRcAxH 

r,T \- R{t, u) Prop ( also written tRu ) 

The other rules for formulae are as expected. Relation definition is accommodated: 

r,x:A,y:B h (j) Prop 
r \- {x: A, y:B) . (f) C Ax B 

For example eq^ = [x:A,y:A).(x =A y)- 

If pcAxB, p' C A' xB' and p" [i?] cA[Y]xB [Z] , then complex relations are 
built by p ^ p' C (A ^ A') X (B ^ B') where 

{p ^ p') = {f:A ^ A' ,g:B ^ B').{\/x:A\/x':B.{xpx' ^ {fx)p'{gx'))) 

and V(T, Z, R c T xZ)p"[R] c {yY.A[Y])x(yZ.B[Z]) where 

V(y, Z,R(zYxZ)p" = {y:W.A[Y],zYZ.B[Z]).{WyZyR(ZYxZ.{{yY)p"[R]{zZ))) 

One can now acquire further definable relations by substituting definable re- 
lations for type variables in types. For X = B = B\, . . . ,Bn, 

C = Oi, . . . ,(7„ and p = pi, . . . ,p„, where piCBiXCi, we get T[p]cT[B]xT[C], 
the action of T[X] on p, defined by cases on T[X] as follows: 

T[X] = X, : T[p] = p, 

T[X] = T'[X] T"[X] : T[p] = T'[p] ^ T"[p] 

T[X]=\/X'.T'[X,X'] : T[p]=\/{Y,Z,R(lYxZ).T'[p,R] 

The proof system is natural deduction over formulae now involving relation 
symbols, and is augmented with inference rules for relation symbols, for example 
we have for <P a finite set of formulae: 

<P^r,BcAxB <PbryRcAxB.(f)[R], PbpcAxB 

<P hr yR(ZA X B . (f)[R] tP hr (pip] 

One also has axioms for equational reasoning and /3p equalities. Finally, the 
following parametricity axiom schema is asserted: 

Param : h0 VTi, . . . ,VT„Vu:(VJf. 7 '[Jf, Ti, . . . , T„]) . u{yX.T[X,eqy^,.. .,eqyj)u 

To understand, it helps to ignore the parameters Yi and expand the definition 
to get \/u:{\/X.T[X]) XY\/Z\/R(zY xZ . u{Y) T[R\ u{Z) i.e. if one instantiates 
a polymorphic inhabitant at two related types then the results are also related. 
One gets 

Fact 1 (Identity Extension Lemma [24]). For any T[Z], the following se- 
quent is derivable using Param. 

h0 \/Z ,\/u,v:T . {u T[eqz] u O (u =r r)) 
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Encapsulation is provided by the following encoding of existential types and 
the following pack and unpack combinators. 

3X.T[X] = W.{\/X.{T[X] 
pack,,[^]:VJf.Ci’[Jf] ^ 3X.T[X]) 

packji[jf](^)(impl) = AY.Xf:\/X.{T[X] -^Y).f{A){irnpl) 

unpackyj^j: {3X.T[X]) Vy.(VX.(7'[X] ^Y)^Y) 

unpack^^.^j^-^{package){B){client) = package{B){client) 

We omit subscripts to pack and unpack as much as possible. Operationally, pack 
packages a data representation and an implementation of operators on that data 
representation. The resulting package is a polymorphic functional that given a 
client and its result domain, instantiates the client with the particular elements 
of the package. And unpack is the application operator for pack. 

Fact 2 (Characterisation by Simulation Relation [24]). The following se- 
quent schema is derivable using Param. 

h0 yZXu,v3X.T[X,Z] . 

u= 3 X.T[x,z]V o 3A,B.3a:T[A,Z],b:T[B,Z].3RcAxB . 

u = (packAo) A V = (packRb) A a{T[R,eqz])b 

The sequent in Fact 2 states the equivalence of equality at existential type with 
the existence of a simulation relation in the sense of [21]. From this we also get 

h0 yZXu-.3X.T[X,Z].3A.3a:T[A,Z] . u = (packAo) 

Weak versions of standard constructs such as products, initial and final 
(co-)algebras are encodable in System F [8]. With Param, these constructs are 
provably universal constructions. We can e.g. freely use product types. Given 
pCAxB and p' c A' xB', [pxp) is defined as the action [XxX')[p, p']. One derives 
\/u:AxA',v:BxB' . u{pxp')v O (fst(u) p fst(u) A snd(u) p snd(u)). We also use 
the abbreviations bool = VA.A ^ X ^ X and nat = VA.A ^ (A ^ X) ^ X; 
which are provably initial constructs. 

Finally, this logic is sound w.r.t. to the parametric PER-model of [3]. 

4 The Translation 

We now define a translation T giving an interpretation in the type theory and 
logic outlined in Sect. 3, of the concept of algebraic specification refinement 
{SPj, Obs,In) "A ('5'Pj+i, Obs' ,In'). We will use inhabitants of existential types 
as analogues to algebras, and then existentially quantified variables will corre- 
spond to non-observable {behavioural) sorts. 

To keep things simple, we will at any one refinement stage assume a single 
behavioural sort b; methodologically this means focusing on one data type at a 
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time, and on one thread in a development. Thus we can stick to existential types 
with one existentially quantified variable. It is straight-forward to generalise to 
multiple existentially quantified variables [21]. 

In algebraic specification, there is no restraint on the choice of input sorts and 
observable sorts within the sorts S' of a signature. In the type-theoretic setting, 
we will see that we have only one choice for the corresponding notion of input 
types, namely the collection of all types. Since a behavioural sort corresponds to 
an existentially quantified type variable, this automatically caters for situations 
which in algebraic specification correspond to crucially excluding the behavioural 
sort from the input sorts (Example 2). In algebraic specification, conforming 
to this type-theoretic insistence means assuming In = S \ b, which probably 
covers all reasonable examples of refinement. Thus, the type-theoretic formalisms 
inherently select a sensible choice. 

For observable types on the other hand, we seem to have some choice. Our 
assumption of at most one behavioural sort means Obs = S\b, hence Obs = In, 
in the algebraic specification setting. In type theory we could therefore let all 
types be observable types, as we must for input types. However, since ‘observable’ 
should mean ‘printable’, we limit the observable types by letting Obs denote also 
observable types; we assume that for every sort s <E Obs there is an obvious closed 
type given the name s, for which the Identity Extension Lemma (Fact 1) gives 
x{s[p])y O X =sy. Examples are bool and nat. 

Note that the assumption of Obs = In means that it suffices to write algebraic 
specification refinement as {SPj, Obs) {SPj^i, Obs'). 

In the following we use record type notation as a notational convenience. 

Definition 1 (Translation and Type Theory Specification). 

Let SP = where U = {S, Q). Define the translation T by 

T{SP,0bs) = {{Sigsp,Osp),0bs) 
where Siggp = 3X.Profsp, 

where Profgp = Reeord{fi: siiX- • ^ si, ... ,fk--SkiX- • -xsknk Sk)[X/b], 

for fi'. Sii X • • • X Si„. ^ Si e J7, 
and where Osp{n) = 3X .3i\ Prof gp . u = (packXy) A <l>[X,y]. 

Here, L>[X,f] indieates the conjunetion of It, where X substitutes b, and every 
operator symbol in <P belonging to 12 is prefixed with y. We eall T {SP, Obs) a type 
theory specification. IfOgp{u) is derivable then u is a realisation ofT {SP, Obs). 

Example 5. For example, T(Stack, {nat}) = 6>stack), {nat}), where 

%Stack = 32f.Pro/stack> 

^™/stack = i?ecord(empty:2f , push: nat x X ^ X,pop:X X,X.op\X nat) 
<9stack(w) = 3X.3y:Pro/stack • « = (packXy) A 

Vx:nat,s:2f . y.pop(j;.push(x, s)) = s A 
Vx:nat,s:2f . y.top(j;.push(x, s)) = x ^ 

Henceforth, existential types arise from algebraic specifications as in Def. 1. We 
do not consider free type variables in existential types since this corresponds to 
parameterised algebraic specifications, which is outside this paper’s scope. 
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The type theory specification of Def. 1 is essentially that of [17]. The impor- 
tant difference is that with parametricity, equality of data type inhabitants is 
inherently behavioural, so implementation is up to observational equivalence. 

In algebraic specification we said that two if-algebras A and B are ob- 
servationally equivalent w.r.t. Obs and In iff for any observable computation 
t <E s e Obs the interpretations and are equivalent. Analo- 

gously, and in the style of [21], we give the following definition of type-theoretic 
observational equivalence. 

Definition 2 (Type Theory Observational Equivalence). For any u,v: 
3X.T[X], we say u and v are observationally equivalent w.r.t. Obs iff the fol- 
lowing sequent is derivable. 

\~r ^ A, B.3a'.T [A], b: T[B] . u = {pack Aa) A v = {packBb) A 

AaeO!,.V/:VA.(T[A] ^ C) . (/A a) = (fBb) 

Notice that there is nothing hindering having free variables in an observable 
computation fXX.fl’lX] C). Importantly, though, these free variables can 
not be of the existentially bound type. 

Example 6. Recalling Example 2, for Listlmpl to be a behavioural implemen- 
tation of Set, it was essential that the input sorts did not include set, as then 
the observable computation in(x, remove(x, s)) would not have the same deno- 
tation in Listlmpl as in any algebra in |SetJ. In our type-theoretic setting, the 
corresponding observable computation is AX.\pProf<^^^ . j:.in(x, j:.remove(x, gr)). 
Here g must be a term of the bound type X . The typing rules insist that g can 
only be of the form y.add(- • • y. add (j:. empty) • • •) and not a free variable. O 

Our first result is essential to understanding the translation. 

Theorem 3. Suppose 3X.T[X] = Siggp in T{SP,Obs) for some basic alge- 
braie specification SP and set of observable sorts Obs. Then, assuming Param, 
equality at existential type is derivably equivalent to observational equivalenee, 
i.e. the following sequent is derivable in the logic. 

|-0 Vm, v: 3X.T[X] . 

U =3X.T[X] V O 

3A,B.3a'.T[A\,b\T[B] . u = (packAo) A v = {packBb) A 

AaeO!,.V/:VA.(T[A] ^C) . (/Aa) = {fBb) 

Proof: This follows from Fact 2 and Lemma 4 below. □ 



Lemma 4. Let 3X.T[X] = Siggp be as in Theorem 3. Then, assuming Param, 
the existence of a simulation relation is derivably equivalent to observational 
equivalence, i.e. the following sequent is derivable. 

h 0 yA,B.ya:T[A],b:T[B] . 

3RcAxB . a{T[R])b o Aaeo^s V/:VA.(T[A] ^ C) . (/A a) = {fBb) 
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Proof: This follows from Param. 

We must exhibit an R such that a{T[R])b. Semantically, [22,33] define 
a relation between elements iff they are denotable by some common term. We 
mimic this: Give R = (a: A, h B) .{3f:\/X ,{T[X] X).{fA a) = a A {fB b) = b). 
We must now derive a{T[R])b, i.e. for every component (gr: si x • • • x s„ ^ s)[X/h] 
in i'[df], we must show that 

Vui:si[ff], . . . ,Vu„:s„[ff],Vwi:si[ii], . . . ,Vw„:s„[i^j . 

Vi Si[R] Wi A • • • A Vn Sn[R] 

^ a.g{vi,. . . ,Vn) s[i?j b.g{wi,..., w„) 

Under our present assumptions, any Sj in the antecedent is either b or else an 
observable sort. If Sj is b then the antecedent says Vj R Wj hence we may assume 
3fj:yX.{T[X] X).{fjAa) = Vj A {fjB b) = Wj. If Sj is an observable sort we 
may by Fact 1 assume Vj = Wj. Consider / = AX.\% \ T[X] . %.g{ui,. . . ,m„), 
where Uj is (fjXf) if Sj is b, and Uj = Vj otherwise. 

Suppose now the co-domain sort s is an observable sort. Then by assumption 
we have {fA o) = {fB b) and by /?-reduction we are done. Suppose the co-domain 
sort s is b. Then we need to derive a-g{vi, . . . ,u„) R b.g(wi, . . . ,Wn), i.e. that 
3f:\/X.{T[X] ^ X).{fAa) = a.g{vi,...,v„) A (/S b) = b.g(wi, . . . , w„). But 
then we exhibit our / above, and we are done. □ 

This proof does not in general generalise to higher order T. The problem lies in 
exhibiting a simulation relation R. 

Given Theorem 3, Osp{u) of translation T expresses “u is observationally 
equivalent to a package (packdfy) that satisfies the axioms <P^\ Therefore: 

Definition 3 (Type Theory Specification Refinement). A type theory spec- 
ifieation T{SP' , Obs') is a refinement of a type theory specifieation T{SP, Obs), 
with constructor F'.Siggp, Siggp iffXp \/u:Siggpr . Ogp/{u) Ogp{Fu) 
is derivable. We write T {SP, Obs) T {SP' , Ob.s') for this fact. 

Any constructor F: Siggp, Siggp is by Theorem 3 inherently stable under 
parametricity: Congruence gives\/u,v: Siggp, .u =gig^^, v ^ B{u) =Sigsp X{v). 
But equality at existential type is of course observational equivalence. 

Example 7. The constructor Tr of Example 3 is expressed in this setting as 
AM:%stack-unpack(M)(%T,i„)(ylX.Ay:Pro/stack • (packA record(id = 

Ax,n,z:nat . y.top(multipop(n, multipush(n, z, y.push(x, y.empty))))))) O 

Note that we automatically get the proof simplification due to stability that we 
have in algebraic specification. Since observational equivalence is simply equality 
in the type theory, it is sound to substitute any package with an observationally 
equivalent package that satisfies the axioms of the specification literally. 

Observe that the non-stable constructor Tr' from Example 4 is not express- 
ible in the type theory, because x =x y Prop is not allowed in System F terms. 
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5 A Correspondence at First Order 

We seek to establish a formal connection between the concept of algebraic spec- 
ification refinement and its type-theoretic counterpart as defined in Def. 3, i.e. 

{SP,Obs)'^ {SP',Obs') o T{SP,Obs)-^T{SP',Obs') 

where k and are constructors that correspond in a sense given below. 

Now, that M is a realisation of a type theory specification {{Siggp,0sp), Obs) 
can in general only be proven by exhibiting an observationally equivalent package 
u' that satisfies For any particular closed term g:Siggp, one can attempt 
to construct such a g' perhaps ingeniously, using details of g. But to show that 
a specification is a refinement of another specification we are asked to consider 
a term (pack^do) where we do not know details of A or o. We therefore need 
a universal method for exhibiting suitable observationally equivalent packages. 
It also defies the point of behavioural abstraction having to construe a literal 
implementation to justify a behavioural one. 

In algebraic specification one proves observational refinements by first con- 
sidering quotients w.r.t. a possibly partial congruence f^obsjn induced by Obs 
and In [5], and then using an axiomatisation of this quotienting congruence to 
prove relativised versions of the axioms of the specification to be refined. In 
the case that this congruence is partial, clauses restricting to the domain of 
the congruence must also be incorporated [6,4]. The quotients are of the form 

dovn Obs,In) Obs^In-: where dOTflj^(^PiObs,In)s — ^ As I nPSQ^s^In ■ 

This proof method is not available in the type theory and logic of [24]. One 
remedy would be to augment the type theory by quotient types, e.g. [ 11 ], and 
subset types. However, for its simplicity and because it complies to existing proof 
techniques in algebraic specification, we adapt an idea from [25] where the logic is 
augmented with an axiom schema postulating the existence of quotients (Def. 4). 
In addition, we need a schema asserting the existence of sub-objects (Def. 5) for 
dealing with partial congruences. The justification for these axioms lies in their 
soundness w.r.t. the parametric PER-model [3] that is one justification for the 
logic of [24]. These axioms are tailored to suit refinement proof purposes. One 
could alternatively derive them from more fundamental and general axioms. 

Definition 4 (Existence of Quotients (Quot) [25]). 

h 0 VXVybi'[A].Vi?cXxX . (y i/’[i?] y a equiv{R)) ^ 

3Q3q\T[Q]3epv.X Q . \/x,y.X . xRy o (epix) =q (epiy) A 

\/ q: Q 3x: X . q=q {epi x) A 

y {T[{x:X,q:Q).{(epix) =q g)]) q 

where equiv{R) speeifies R to be an equivalence relation. 

Definition 5 (Existence of Sub-objects (Sub)). 

h 0 VX. Vy: '1 '[X]XRdXy.X . (y 1/ ' [if] y ) ^ 

35'.30:T[5'].3i?'c5'x 5'.3mono:5' ^ X .y (T[(x:X, s: S).{x =x{mono s))]) 0 A 

Vs. s': S' . s i?' s' {monos) R {mono s^) A 
Vs:5' . s R s 
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Algebraic specification uses classical logic, while the logic in [24] is construc- 
tive. However, formulae may be interpreted classically in the parametric PER- 
model, and it is sound w.r.t. this model to assume the axiom of excluded middle 
[24]. For our comparison with algebraic specification, we shall do this. 

We can now show our desired correspondence. We first do this for refinements 
without constructors. We must assume that specifications are behaviourally closed 
w.r.t. f^obs,in, i-e. {domAi.^obs,in) hobs,in I A G ISPj} C |5P]. This is method- 
ologically an obvious requirement for behavioural specification [6,5]. 

Theorem 5. Let SP = {P,d>) and SP' = be basic algebraic specifica- 

tions, with U = {S, Q). Assume one behavioural sort b, and assume Obs = In = 
S\b. Assume behavioural closedness w.r.t. ^obs,in- Then 

{SP , Obs) {SP' , Obs) o T{SP,Obs)'T^T{SP' ,Obs) 

Proof: We must showthederivabilityof hr Vu:5z5sp/ . 6>sp'(u) ^ 0>sp{u). 

We can obtain proof-theoretical information from {SP , Obs) {SP' , Obs). By 
behavioural closedness, there exists a sound and complete calculus hp^ for be- 
havioural refinement, based on a calculus h^jg for structured specifications [6]. 
By syntax directedness, we must have had SP' /psobs, in hpg d>, where the se- 
mantics of SP' /piQbsjn is {domA{^obs,in) /^obs,in \ A € For our basic 

specification case, this boils down to the predicate logic statement of 

P,Ax{^) h L{4>) (t) 

Here stands for a new symbol representing p^obsjn at the behavioural sort 
b, and £{<P) = {£{(i>) \ e <P}, for £{()>) = ( A ye_FVi{4>) V ^ v) => where 
FV b{4>) is the set of free variables of sort b in and where inductively 

(a) {u =(, v)* = u ^ V, 

{b) (-'(/>)* = -'(0*) and (0 A V’)* = A fi*, 

(c) {\/x-.b.(j>)* = \/x:b.{x X ^ 

{d) (f>* = (f), otherwise. 

and Ax{'^) = \/x,y:b.{x y O Behh{x,y)), where Behb{x,y) is an axiomati- 
sation of psobs,in at b [4]. (At s G Obs = In, psobs,in is just equality.) 

Using this we derive our goal as follows. Let u: Siggpi be arbitrary. Let T 
denote Profgp,{= Profgp). We must derive 3H.3bhi'[H].(packHb) = u A <P[B,b] 
assuming 3A.3ohi'[A].(packAo) = u A ’P'[A,a\. Let o and A denote the witnesses 
projected out from that assumption. 

Now, Beh is in general infinitary. However, with higher-order logic one gets 
a finitary Beh* equivalent to Beh [12]. Thus we form type-theoretically by 
^ = {a: A,a': A).{Beh*A{a,a')). Since ^ is an axiomatisation of a partial con- 
gruence, we have o T[^] CJ- We use Sub to get Sa, Sa and Sa x Sa and 
mono: Sa ^ A s.t. we can derive 

(si) 0 {T[{a:A, s: SA).{a =a {mono s))]) 

(s2) Vs. s': Sa ■ s s' o {mono s) {mono s') 

(s3) Vs: Sa . s s 
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By (s2) we get Sa 6a- We also get equiv{^') by (s3). We now use Quot 
to get Q and q:T[Q] and epi:SA Q s.t. 

((/I) Vs, s': Sa ■ s s' O {epi s) =q {epi s') 

{q2) yq:Q3s:SA ■ q =q {epi s) 

{q3) Sd {T[{s:SA,q:Q)-{{epis) =q g)]) q 

We exhibit Q for B, and q for b; it remains to derive 1. (packQq) = (pack^do) 
and 2. q]. To show the derivability of (1), it suffices to observe that, through 

Fact 2, (si) and {q3) give (pack^do) = (packS'^Sd) = (packQq). For (2) we must 
show the derivability of (plQ, q] for every (p £ We induce on the structure of <p. 

(a) (p isu =b V. We must derive u[q] =q u[q]. For any variable qq Q in u[q] or 

u[q], we may by {q2) assume an Sqp.SA s.t. {epi Sq.) = qi. From (f) we can derive 
A {{{mono Sq.) ^ {mono SgJ) ^ • • {mono SgJ • • •] • • {mono Sq.) ■ ■ •], 

but by (s2) and (si) this is equivalent to A {{sq. Sq.) ^ a[6d][- ’ ’ Sgi • • •] 

u[0d][- • • Sg. • • •], which by (s3) is equivalent to tt[6d][- • • Sgi • • •] ^[6a][' ' ’ • • •]. 

Then from {ql) we can derive {epiu[ea][- ■ • Sq. ■ ■ •]) =q {epiv[Sa\[- ■ ■ Sq. ■ ■ •]). 
By {q3) we then get {epi M[Sd][- • • Sg^ • • •]) = u[q] and {epi ^[SdJi- ■ ■ Sq. ■ ■ •]) = u[q]. 

(b) Suppose (p = -10'. By negation n.f. convertibility it suffices to consider 
4 >' an atomic formula. The case for cp' as (a) warrants a proof for ^(p' similar to 
that of (a). Suppose <p = 4 '' V cp" . This is dealt with by i.h. on cp' and cp" . 

(c) (p = \/x:B.(p' . This is dealt with by i.h. on <p' . 

(d) This covers the remaining cases. Proofs are similar to those above. 

4=: Observe that to show 4>[Q, q] we must either use 'P'[Q, q] and the definition 
of or else ^[Q, q] was a tautology; in both cases we get (f). □ 

We can easily extend Theorem 5 to deal with constructors. Dealing with 
constructors in full generality, requires specification building operators, which is 
outside the scope of this paper. However, consider simple type theory construc- 
tors F: Sig gp, Sig gp of the form 

Xu: Sig gpr. un pd,ck{u){Siggp){AX.XpProfgp,[X] . (packdfy')) 

for some j:' : Profgp[X], The concept of algebraic specification of algebras is 
extended in [28] to algebraic specifications of constructors. In the simple case, 
we can extend our translation in Def. 1 to this framework. 

Example 8. An algebraic specification of Example 3’s Tr, can be given by 
ITS': Stack. Triv^)^] where Triv^)^] is 

hide multipush, multipop in 

operators multipush: nat x nat x Astack ^ S'.stack, 

multipop: nat x S'.stack ^ S.stack, id: nat x nat x nat ^ nat 
cLxioms <pTr '■ multipop(n, multipush(n, z, s)) = s 

id(x,n,z) = S.top(multipop(n, multipush(n, z, S.push(x, S.empty)))) 

We can give a corresponding type theory specification T{IIS: Stack. Triv^) by 
{^Wns :Stack.Triv^ ? Sins :Stack.Triv' ), where Sig^g 

:Stack.Triv^ - %Stack ^ %Triv and 
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Ons:St3ck.Tr\v'{u,v) = 3X 3x)\ Profj^-^^ . 

(packJf^p) = M A (packFt)) = V A ... A 
Vx, n, z: nat . p.id(x, n,z) = y.top(multipop(n, multipush (n, z, y. push (x,y. empty)))) 

whereby F is a realisation of, or satisfies, T{IIS: Stack. Triv^) if one can derive 

^Wstack • ^Stack(^) ^i7S':Stack.Triv^(^j ^^)- 

We now want to show (5P, (5P^ O&s^) o T{SP,Obs)'y^T[SP' ,Obs'} 

where k^' is a realisation of a specification SP }<' that maps to a specification 
T{SP i, ) for which F , a simple constructor, is a realisation, and where the axioms 
of SP p and T{SPp) are given hy ^p. We have to show the derivability of 
\-p Yu: Siggp, . Osp'iu) Osp(Fu), supposing {SP,Obs) {SP',Obs'). 
Similarly to the proof of Theorem 5, we get <P' , Ax{^),'Pp h £(^>) (|) We need 
to exhibit a B and b s.t. 1. pack5h = F(pack^o) and 2. b]. We construct Q 

and q from F(pack^o) = packin', for a'. Profgp[A\, as in the proof of Theorem 5, 
and (1) follows as before. Then for (2), to show ‘PlQ, q], and also for the converse 
direction, use (|) in place of (f). 

Finally and importantly, the direction of the proof of Theorem 5 displays 
a reasoning technique in its own right for type theory specification refinement. 
This extends the discussion in [25] to deal also with partial congruences. 

6 Final Remarks 

In this paper we have expressed an account of algebraic specification refinement 
in System F and the logic for parametric polymorphism of [24] . We have seen in 
Sect. 4 how the concepts of behavioural (observational) refinement, and stable 
constructors are inherent in this type-theoretic setting, because at first order, 
equality at existential type is exactly observational equivalence (Theorem 3). We 
have shown a correspondence (Theorem 5) between refinement in the algebraic 
specification sense, and a notion of type theory specification refinement (Def. 3). 
We have seen how a proof technique from algebraic specification can be mirrored 
in type theory by extending the logic soundly with axioms Quot and SuB, the 
latter also extending the discussion in [25] . 

The stage is now set for type-theoretic development in at least two directions. 
First, algebraic specification has much more to it than presented here. An obvious 
extension would be to express specification building operators in System F. This 
would also allow a full account of specifications of parameterised programs and 
also parameterised specifications [28]. 

Secondly, we can use our notion of type theory specification refinement and 
start looking at specification refinement for higher-order polymorphic function- 
als. In this context one must resolve what observational equivalence means, since 
the higher-order version of Theorem 3 is an open question. However, there are 
grounds to consider an alternative notion of simulation relation that would re- 
establish a higher-order version of Lemma 4. Operationally, the only way two 
concrete data types (packAa): 1F[A] and (packHb): T[B] can be utilised, is in 
clients of the form AX ,XpT[X] . y.f. Such a client cannot incite the application 
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of functionals o./ and b.f whose domain types involve the instantiations A and 
B of the existential type variable, to arbitrary terms of appropriate instanti- 
ated types, but only to terms definable in some sense by items in the respective 
implementations o and b. However, the usual notion of simulation relation con- 
siders in fact arbitrary terms. At first order, this does not matter, because one 
can exhibit a relation that explicitly restricts arguments to be definable, namely 
the relation R in the proof of Lemma 4. At higher-order, one could try altering 
the relational proof criteria by incorporating explicit definability clauses. This 
is reminiscent of recent approaches on the semantical level [15,13]. 



Acknowledgements Thanks are due to Martin Hofmann, Don Sannella, and 

the referees for helpful comments and suggestions. This research has been sup- 
ported by EPSRC grant GR/K63795, and NFR (Norwegian Research Council) 

grant 110904/41. 

References 

1. M. Abadi, L. Cardelli, and P.-L. Curien. Formal parametric polymorphism. The- 
oretical Computer Science, 121:9-58, 1993. 

2. D. Aspinall. Type Systems for Modular Programs and Specifications. PhD thesis. 
University of Edinburgh, 1998. 

3. E.S. Bainbridge, P.J. Freyd, A. Scedrov, and P.J. Scott. Functorial polymorphism. 
Theoretical Computer Science, 70:35-64, 1990. 

4. M. Bidoit and R. Hennicker. Behavioural theories and the proof of behavioural 
properties. Theoretical Computer Science, 165:3-55, 1996. 

5. M. Bidoit, R. Hennicker, and M. Wirsing. Behavioural and abstractor specifica- 
tions. Science of Computer Programming, 25:149-186, 1995. 

6. M. Bidoit, R. Hennicker, and M. Wirsing. Proof systems for structured specifica- 
tions with observability operators. Theoretical Computer Sci., 173:393-443, 1997. 

7. M. Bidoit, H.-J. Kreowski, P. Lescanne, F. Orejas, and D. Sannella (eds.). Alge- 
braic System Specification and Development: A Survey and Annotated Bibliography , 
volume 501 of LNCS. Springer, 1991. 

8. C. Bohm and A. Beraducci. Automatic synthesis of typed A-programs on term 
algebras. Theoretical Computer Science, 39:135-154, 1985. 

9. J.A. Goguen. Parameterized programming. IEEE Transactions on Software Engi- 
neering, SE-10(5):528-543, 1984. 

10. R. Hennicker. Structured specifications with behavioural operators: Semantics, 
proof methods and applications. Habilitationsschrift, LMU, Miinchen, 1997. 

11. M. Hofmann. A simple model for quotient types. In Proc. TLCA’95, volume 902 
of LNCS, pages 216-234. Springer, 1995. 

12. M. Hofmann and D. Sannella. On behavioural abstraction and behavioural satis- 
faction in higher-order logic. Theoretical Computer Science, 167:3-45, 1996. 

13. F. Honsell and D. Sannella. Pre- logical relations. In Proc. CSL’99, LNCS, 1999. 

14. S. Kahrs, D. Sannella, and A. Tarlecki. The definition of Extended ML: a gentle 
introduction. Theoretical Computer Science, 173:445-484, 1997. 

15. Y. Kinoshita, P.W. O’Hearn, A.J. Power, M. Takeyama, and R.D. Tennent. An 
axiomatic approach to binary logical relations with applications to data refinement. 
In Proceedings of TACS’97, volume 1281 of LNCS, pages 191-212. Springer, 1997. 




Specification Refinement with System F 545 



16. H. Kirchner and P.D. Mosses. Algebraic specifications, higher-order types, and 
set-theoretic models. In Proc. AMAST’98, volume 1548 of LNCS, pages 378-388. 
Springer, 1998. 

17. Z. Luo. Program specification and data type refinement in type theory. Math. 
Struct, in Comp. Sci., 3:333-363, 1993. 

18. Q. Ma and J.C. Reynolds. Types, abstraction and parametric polymorphism, part 
2. In Proc. 7th MFPS, volume 598 of LNCS, pages 1-40. Springer, 1991. 

19. H. Mairson. Outline of a proof theory of parametricity. In ACM Symposium on 
Functional Programming and Computer Architecture, volume 523 of LNCS, pages 
313-327. Springer, 1991. 

20. K. Meinke. Universal algebra in higher types. Theoretical Computer Science, 
100:385-417, 1992. 

21. J.C. Mitchell. On the equivalence of data representations. In V. Lifschitz, editor. 
Artificial Intelligence and Mathematical Theory of Computation: Papers in Honor 
of John McCarthy, pages 305-330. Academic Press, 1991. 

22. J.C. Mitchell. Foundations for Programming Languages. Foundations of Comput- 
ing Series. MIT Press, 1996. 

23. N. Mylonakis. Behavioural specifications in type theory. In Recent Trends in Data 
Type Spec., 11th WADT, volume 1130 of LNCS, pages 394-408. Springer, 1995. 

24. G. Plotkin and M. Abadi. A logic for parametric polymorphism. In Proc. of TLCA 
93, volume 664 of LNCS, pages 361-375. Springer, 1993. 

25. E. Poll and J. Zwanenburg. A logic for abstract data types as existential types. In 
Proc. TLCA’99, volume 1581 of LNCS, pages 310-324, 1999. 

26. B. Reus and T. Streicher. Verifying properties of module construction in type 
theory. In Proc. MFCS’93, volume 711 of LNCS, pages 660-670, 1993. 

27. J.C. Reynolds. Types, abstraction and parametric polymorphism. Information 
Processing, 83:513-523, 1983. 

28. D. Sannella, S. Sokolowski, and A. Tarlecki. Toward formal development of pro- 
grams from algebraic specifications: parameterisation revisited. Acta Inform., 
29:689-736, 1992. 

29. D. Sannella and A. Tarlecki. On observational equivalence and algebraic specifica- 
tion. Journal of Computer and System Sciences, 34:150-178, 1987. 

30. D. Sannella and A. Tarlecki. Toward formal development of programs from alge- 
braic specifications: Implementations revisited. Acta Inform., 25(3):233-281, 1988. 

31. D. Sannella and A. Tarlecki. Essential concepts of algebraic specification and 
program development. Formal Aspects of Computing, 9:229-269, 1997. 

32. D. Sannella and M. Wirsing. A kernel language for algebraic specification and 
implementation. In Proc. 1983 Inti. Conf. on Foundations of Computation Theory, 
volume 158 of LNCS, pages 413-427. Springer, 1983. 

33. O. Schoett. Data Abstraction and the Correctness of Modular Programming. PhD 
thesis, University of Edinburgh, 1986. 

34. T. Streicher and M. Wirsing. Dependent types considered necessary for specifica- 
tion languages. In Recent Trends in Data Type Spec., volume 534 of LNCS, pages 
323-339. Springer, 1990. 

35. J. Underwood. Typing abstract data types. In Recent Trends in Data Type Spec., 
Proc. 10th WADT, volume 906 of LNCS, pages 437-452. Springer, 1994. 

36. M. Wirsing. Structured specifications: Syntax, semantics and proof calculus. In 
Logic and Algebra of Specification, pages 411-442. Springer, 1993. 

37. M. Wirsing. Algebraic specification languages: An overview. In Recent Trends in 
Data Type Specification, volume 906 of LNCS, pages 81-115. Springer, 1994. 




Pre-logical Relations* 



Furio HonselF’^ and Donald Sannella^ 



^ Laboratory for Foundations of Computer Science, University of Edinburgh, 
Edinburgh EH9 3JZ; furio@dcs.ed.ac.uk and dts@dcs.ed.ac.uk 
Dipartimento di Matematica e Informatica, Universita di Udine 



Abstract. We study a weakening of the notion of logical relations, cal- 
led pre-logical relations, that has many of the features that make logical 
relations so useful as well as further algebraic properties including com- 
posability. The basic idea is simply to require the reverse implication in 
the dehnition of logical relations to hold only for pairs of functions that 
are expressible by the same lambda term. Pre-logical relations are the 
minimal weakening of logical relations that gives composability for ex- 
tensional structures and simultaneously the most liberal dehnition that 
gives the Basic Lemma. The use of pre-logical relations in place of logical 
relations gives an improved version of Mitchell’s representation indepen- 
dence theorem which characterizes observational equivalence for all sig- 
natures rather than just for hrst-order signatures. Pre-logical relations 
can be used in place of logical relations to give an account of data reh- 
nement where the fact that pre-logical relations compose explains why 
stepwise rehnement is sound. 



1 Introduction 

Logical relations are structure-preserving relations between models of typed 
lambda calculus. 

Definition 1.1. Let A and B he S -applicative structures. A logical relation TZ 
over A and B is a family of relations {R'^ C X \er\^}creTypes{B) such that: 

- R^^^{f,g) iffLae [crJ-^.Vfe € ,R‘^{a,b) ^ R^ {App^ f a, Appp^ g b) . 

— |c]|®) for every term constant c : a in U . 

Logical relations are used extensively in the study of typed lambda calculus and 
have applications outside lambda calculus, for example to abstract interpretation 
[Abr90] and data refinement [Ten94]. A good reference for logical relations is 
[Mit96]. An important but more difficult reference is [Sta85]. 

The Basic Lemma is the key to many of the applications of logical relations. 
It says that any logical relation over A and B relates the interpretation of each 
lambda term in A to its interpretation in B. 

* An extended version of this paper, which includes proofs, is Report ECS-LFCS-99- 
405, Univ. of Edinburgh (1999). 
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Lemma 1.2 (Beisic Lemma). LetTZ be a logical relation over Henkin models 
A and B. Then for all T- environments rjj^^rjs such that ^?b) (ind every 

term T t> M :a, {{T > M : > M : cr]®g). □ 

{rjj^,riis) refers to the obvious extension of R to environments, see page 550.) 

As structure-preserving relations, logical relations resemble familiar algebraic 
concepts like homomorphisms and congruence relations but they lack some of 
the convenient properties of such concepts. In particular, the composition of two 
logical relations is not in general a logical relation. This calls into question their 
application to data refinement at least, where one would expect composition to 
provide an account of stepwise refinement. 

We propose a weakening of the notion of logical relations called pre-logical 
relations (Sect. 3) that has many of the features that make logical relations 
so useful — in particular, the Basic Lemma still holds for pre-logical relations 
(Lemma 4.1) — but having further algebraic properties including composabi- 
lity (Prop. 5.5). The basic idea is simply to require the reverse implication in 
the definition of logical relations to hold only for pairs of functions that are 
expressible by the same lambda term. Pre-logical relations turns out to be the 
minimal weakening of logical relations that gives composability for extensional 
structures (Corollary 7.2) and simultaneously the most liberal definition that 
gives the Basic Lemma. Pre-logical predicates (the unary case of pre-logical re- 
lations) coincide with sets that are invariant under Kripke logical relations with 
varying arity as introduced by Jung and Tiuryn [JT93] (Prop. 6.2). The use 
of pre-logical relations in place of logical relations gives an improved version of 
Mitchell’s representation independence theorem (Corollaries 8.5 and 8.6 to Theo- 
rem 8.4) which characterizes observational equivalence for all signatures rather 
than just for first-order signatures. Pre-logical relations can be used in place of 
logical relations in Tennent’s account of data refinement in [Ten94] and the fact 
that pre-logical relations compose explains why stepwise refinement is sound. 

Many applications of logical relations follow a standard pattern where the 
result comes directly from the Basic Lemma once an appropriate logical relation 
has been defined. Some results in the literature follow similar lines in the sense 
that a type-indexed family of relations is defined by induction on types and a 
proof like that of the Basic Lemma is part of the construction, but the family of 
relations defined is not logical. Examples can be found in Plotkin’s and Jung and 
Tiuryn’s lambda-definability results using I-relations [Plo80] and Kripke logical 
relations with varying arity [JT93] respectively, and Gandy’s proof of strong 
normalization using hereditarily strict monotonic functionals [Gan80]. In each of 
these cases, the family of relations involved turns out to be a pre-logical relation 
(Example 3.8, Sect. 6 and Example 3.9) which allows the common pattern to be 
extended to these cases as well. Since pre-logical relations are more general than 
logical relations and variants like I-relations, they provide a framework within 
which these different classes can be compared. Here we begin by studying and 
comparing their closure properties (Prop. 5.6) with special attention to closure 
under composition. 




548 



F. Honsell and D. Sannella 



The definition of pre-logical relations is not new. In [Sch87], Schoett uses 
a first-order version of algebraic relations which he calls correspondences, and 
he conjectures (p. 281) that for Henkin models, what we have called pre-logical 
relations (formulated as in Prop. 3.3) would be closed under composition and 
yield the Basic Lemma. In [Mit90], Mitchell makes the same suggestion, refer- 
ring to Schoett and also crediting Abramsky and Plotkin, but as an assertion 
rather than a conjecture. The idea is not developed any further. An independent 
but apparently equivalent definition of pre-logical relations over cartesian closed 
categories is given in [PPS98] where they are called lax logical relations. It is 
shown that these compose and that the Basic Lemma holds, and an axiomatic 
account is provided. Earlier, a closely related notion called L-relations was de- 
fined in [KOPTT97] and shown to compose. Another related paper is [Rob96]. 
There appears to be no previous work on pre-logical relations that goes beyond 
observing that they compose and that the Basic Lemma holds. Another diffe- 
rence to [PPS98] and [KOPTT97] is that our treatment is elementary rather 
than categorical, and covers also combinatory logics. 

2 Syntax and Semantics 

We begin with A^, the simply- typed lambda calculus having — t as the only type 
constructor. Other type constructors will be considered in Sect. 10. We follow 
the terminology in [Mit96] for the most part, with slightly different notation. 

Definition 2.1. The set Types[B) of types over a set B of base types (or type 
constants^ is given hy the grammar a ::= fe | c — t c where b ranges over B. A 
signature A consists of a set B of type constants and a collection C of typed 
term constants c : a. 

Let A = {B, C) be a signature. We assume familiarity with the usual notions 
of context T = xpai, . . . ,Xn'.On and B-term M of type a over a context T, 
written Tt> M : a, with the meta- variable t reserved for lambda-free A-terms. If 
r is empty then we write simply M : a. Capture-avoiding substitution [N/x]M 
is as usual. 

Definition 2.2. A A-applicative structure A consists of: 

— a carrier set for each a G Types[B); 

— a function App(^ : \a — t t t for each a,r £ Types[B); 

— an element [c]*^ G for each term constant c : a in Ah 

We drop the subscripts and superscripts when they are determined by the context. 
Two elements f,g£ Ic — t r]*^ are said to be extensionally equal if App(^ f x = 
App'j^ g x for every x G A B -applicative structure is extensional when 

extensional equality coincides with identity. 

A A-combinatory algebra is a B -applicative structure A that has elements 
G [cr — t (r — t cr)]*^ and G |(p a ^ t) ^ [p ^ a) ^ p ^ for 

each p, (7, r G Types[B) satisfying xy = x and xy z = (x z)[y z). 
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An extensional combinatory algebra is called, a Henkin model. An applicative 
structure A is a, full type hierarchy when [cr — ^ r]*^ = |cr]'^ — t [r]*^ for every 
a,T <E Types[B) and then it is obviously a Henkin model. 

In a combinatory algebra, we can extend the definition of lambda-free Id- 
terms by allowing them to contain S and K] we call these combinatory Id -terms. 

A r -environment rfj^ assigns elements of an applicative structure A to va- 
riables, with r]ji{x) e for X : a in F. A lambda-free A-term F t> t : a 

is interpreted in a A’-applicative structure A under a A-environment rjjr in the 
obvious way, written [A > t : , and this extends immediately to an interpre- 

tation of combinatory A’-terms in combinatory algebras by interpreting K and 
S as Kjr and Sjr. If t is closed then we write simply [t : cr]*^. 

There are various ways of interpreting terms containing lambda abstraction 
in a combinatory algebra by “compiling” them to combinatory terms so that 
outermost (3 holds (see Prop. 2.4 below for what we mean by “outermost /?”). 
In Henkin models, all these compilations yield the same result. 

An axiomatic approach to interpreting lambda abstraction requires an appli- 
cative structure equipped with an interpretation function that satisfies certain 
minimal requirements — cf. the notion of acceptable meaning function in [Mit96]. 

Definition 2.3. A lambda A-applicative structure consists of a Id -applicative 
structure A together with a function that maps any term F \> M : a and 
F -environment rjj( over A to an element of such that: 

- lF>x: = rjji{x) 

- [A [> c : = [c]*^ 

- IF>M N : rj:^^ = App^ (F t> M : a [A > TV : 

- [A > Xxia.M : a — ^ = |A > Xy:a.[y /x]M : a -P- provided y ^ F 

- IF t> M : cr]|;f = I A > M : cM provided, 7]d is a F -environment such that 

Va{x) = all X e F 

- [A, x:a\> M : = [A > M : 

- [A,x:a > M : > [N/x]M : r]A 

Proposition 2.4. A lambda applicative structure A with Appj^ [A > Xx:a.M : 
a -A a, = |A, x:cj > M : amounts to a combinatory algebra, and 

vice versa. □ 

Viewing a combinatory algebra as a lambda applicative structure involves inter- 
preting lambda terms via compilation to combinatory terms. 

3 Algebraic and Pre-logical Relations 

We propose a weakening of the definition of logical relations which is closed under 
composition and which has most of the attractive properties of logical relations. 
First we change the two-way implication in the condition on functions to a one- 
way implication which requires preservation of the relation under application. 
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Definition 3.1. Let A and B be U-applicative structures. An algebraic relation 
TZ over A and B is a family of relations {BA Q [cr]|'^ X Types(B) tha,t: 

- IfR'^^^{f,g) thenfae [crJ-^.Vfe € ,R'=^{a,b) ^ R'^{Appj^f a,App^gh). 

— [cj®) for every term constant c : a in S. 



In lambda applicative structures, we additionally require the relation to preserve 
lambda abstraction in a sense that is analogous to the definition of admissible 
relation in [Mit96], First, we extend a family of relations to a relation on F'- 
environments: R^ [rjp{,rjB) if {rjpi[x) ,rjB{x)) for every x:a in F. 



Definition 3.2. Let A and B be lambda S -applicative structures. A pre-logical 
relation over A and B is an algebraic relation TZ such that given F -environments 
Ppl and pb such that R^^pyi, ps), and a term F,x : a\> M : t, if R°'[a, b) implies 



: a \> M 
then R°^^ 






,|r,x 



a>M : r]» 



for all a 



e M 

B \ 



A 



and 



R-{lF,x 

b € \(7\^ , then R°'^'^{IF > Xx:a.M : a -A r];^, [F > Xx:a.M : a -A 

This amounts to defining pre-logical relations as simply the class of relations 
that make the Basic Lemma hold, as we shall see in Lemma 4.1 below. (Indeed, 
since the Basic Lemma for pre-logical relations is an equivalence rather than a 
one-way implication, an alternative at this point would be to take the conclusion 
of the Basic Lemma itself as the definition of pre-logical relations.) 

A more appealing definition is obtained if we consider combinatory algebras, 
where the requirement above boils down to preservation of S and K : 



Proposition 3.3. Let A and B be F - combinatory algebras. An algebraic rela- 
tion TZ over A and B is pre-logical iff and R[K{f^ , for all 

p,a,T e Types[B). □ 

If we incorporate S and K into the signature F, then pre-logical relations are 
just algebraic relations on combinatory algebras. One way of understanding the 
definition of pre-logical relations is that the reverse implication in the definition 
of logical relations is required to hold only for pairs of functions that are expres- 
sible by the same lambda term. For combinatory algebras these are exactly the 
pairs of functions that are denoted by the same combinatory term, and thus this 
requirement is captured by requiring the relation to contain S and K . 

The use of the combinators S and K in the above proposition is in some sense 
arbitrary: the same result would be achieved by taking any other combinatory 
basis and changing the definition of combinatory algebra and the interpretation 
function accordingly. It would be straightforward to modify the definitions to 
accommodate other variants of lambda calculus, for instance Xi for which a 
combinatory basis is or linear lambda calculi. For languages that 

include recursion, such as PCF, one would add a Y combinator. 

As usual, the binary case of algebraic resp. pre-logical relations over A and 
B is derived from the unary case of algebraic resp. pre-logical predicates for the 
product structure .4.x B. We omit the obvious definitions. For most results about 
pre-logical relations below there are corresponding results about pre-logical pre- 
dicates and about algebraic relations and predicates over applicative structures. 
Similar comments apply to n-ary relations for n > 2. 
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The fact that pre-logicality is strictly weaker than logicality is demonstrated 
by the following examples which also provide a number of general methods for 
defining pre-logical relations. 

Example 3.4- For any signature S and lambda i7-applicative structure, the pre- 
dicate V defined by 

E'^{v) O V is the value of a closed if -term M : a 

is a pre-logical predicate over A- (In fact, V is the least such — see Prop. 5.7 
below.) Now, consider the signature if containing the type constant nat and 
term constants 0 : nat and succ : nat — t nat and let A be the full type hierarchy 
over N where 0 and succ are interpreted as usual. V is not a logical predicate 
over A: any function / <E fnat — t nat^-^, including functions that are not lambda 
definable, takes values in F to values in F and so must itself be in F. □ 

Example 3.5. The identity relation on a lambda applicative structure is a pre- 
logical relation but it is logical iff the structure is extensional. □ 

Example 3.6. A E -homomorphism between lambda if-applicative structures A 
and is a type-indexed family of functions {/j'^ : [cr]*^ — t \(j\^}a-^_Types{B) such 
that for any term constant c : c in if, /i‘^(|c]|'^) = [cj®, h'^[App^J^ f ot) = 
^PPb'^ {f) h'^[a) and h'^^^[lE\>Xx:a.M : a — t = [T>Ax:(T.M : a — ^ 

r]|®(^^) where h{rjX) = {x i— ^ h‘^{r]ji{x))} for allx:a in T. Any if-homomorphism 
is a pre-logical relation. In particular, interpretation of terms in a lambda ap- 
plicative structure with respect to an environment, viewed as a relation from 
the lambda applicative structure of terms, is a pre-logical relation but is not in 
general a logical relation. □ 

Example 3.7. Let A and B be lambda applicative structures and define C 
|(t]® by b) for a e b <E \u\^ iff there is a closed term M : a such 

that \M : cr]|'^ = a and [M : (t]|® = b. This is a pre-logical relation but it is not 
in general a logical relation. Generalizing: the inverse of any pre-logical relation 
is obviously pre-logical and according to Prop. 5.5 below the composition of 
any two pre-logical relations is pre-logical. Then observe that the above relation 
is just the composition of closed term interpretation in B (which is pre-logical 
according to Example 3.6) and the inverse of closed term interpretation in A. □ 

Example 3.8. Plotkin’s Erelations [PloSO] give rise to pre-logical relations. The 
family of relations on the full type hierarchy consisting of the tuples which are 
in a given I-relation at a given world (alternatively, at all worlds) is a pre-logical 
relation which is not in general a logical relation. □ 

A related example concerning Kripke logical relations with varying arity 
[JT93] is postponed to Sect. 6. 

Example 3.9. Let A be an applicative structure. Given order relations on 
for each base type b, we can define Gandy’s hereditarily strict monotonic 
functionals [GanSO] as the equivalence classes of those elements of A which are 
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self-related with respect to the following inductively defined family of relations 
on ^ X A: 

iffVae 

R'^{a,b) ^{f ^ g^{H7 \A^){App^fa,App^ga) 

A 

a^b^ {{B7' \A'^){Appj^f a, Appj^f b) 

A{R^ \A^){Appj^g a,Appj^gb))) 

(This defines simultaneously at each type both the class of functionals we are 
interested in and the order relation itself.) This method defines a pre-logical 
relation (with respect to Aj) which is not in general a logical relation. □ 

4 The Basic Lemma 

We will now consider the extension of the Basic Lemma to pre-logical relations. 
In contrast to Lemma 1.2, we get a two-way implication which says that the 
requirements on pre-logical relations are exactly strong enough to ensure that 
the Basic Lemma holds. The reverse implication fails for logical relations as 
Example 3.4 shows (for logical predicates). 

Lemma 4.1 (Basic Lemma for pre-logical relations). Let TZ = C 

X Types(S) a family of relations over lambda U -applicative struc- 

tures A and B. Then TZ is a pre-logical relation iff for all T -environments rj^i, tjb 
such that [rjj(, rjs) and every S-term, T\> M : a, R'^ [IT \> M : , |T > M : 

a 

The “only if” direction of this result is the analogue in our setting of the general 
version of the Basic Lemma in [Mit96], cf. Lemma 1.2 above for the case of 
Henkin models, but where TZ is only required to be pre-logical. 

The Basic Lemma is intimately connected with the concept of lambda defin- 
ability. This is most apparent in the unary case: 

Lemma 4.2 (Basic Lemma for pre-logical predicates). Let P = {P'” C 
^p\'^}creTypes{B) ^6 ® family of predicates over a lambda U -applicative structure 
A. Then T’ is a pre-logical predicate iff it is closed under lambda definability: 
P^{rj) and T t> M : a implies P^{\T t> M : □ 

5 Properties of Pre-logical Relations 

A logical relation on lambda applicative structures is pre-logical provided it is 
admissible in the following sense. 

Definition 5.1 ([Mit96]). A logical relation TZ on lambda applicative struc- 
tures A and B is admissible if given T- environments rjj( and rjs such tha,t 
P^{VA^Vb), and terms r,x:a [> M , N : r, 

Vae [cr]'^,fee |cr]®.P‘”(a,fe) ^ P”([r,x:cr>M : 
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implies 

Va e b e b) =i> K^{Appj^ [r > \x:a.M : a a, 

Apps [-f" > Ax:cr.iV : cj ^ b) 

Proposition 5.2. Any admissible logical relation on lambda applicative struc- 
tures is a pre-logical relation. □ 

CorollEiry 5.3. Any logical relation on combinatory algebras is a pre-logical re- 
lation. □ 

To understand why the composition of logical relations TZ over A and B 
and S over B and C might not be a logical relation, it is instructive to look at 
examples. When composition fails, the problem is often that the interpretation 
of some function type in B has “too few values”. But even if we take logical 
relations over full type hierarchies, where all possible values of function types 
are present, composition can fail: 

Example 5.4. Let E contain just two type constants, b and b' . Consider three full 
type hierarchies A,B,C which interpret b and b' as follows: = {*} = 

[6]® = {*} and = {o, •}; |h]|^ = {o, •} = {b'f'. Let TZ be the logical 

relation over A and B induced by = {(*,*)} and = K*, o), (=i<, •)} and 

let S be the logical relation over B and C induced by (*,•)} and 

S'^' = {(o,o), (•,•)}. S oTZ is not a logical relation because it does not relate 
the identity function in ^ to the identity function in [fe]'' — ^ WY' ■ 

The problem is that the only two functions in ^ WY {* 

I* I— ^ •}, and S does not relate these to the identity in C. □ 

Proposition 5.5. The composition S oTZ of pre-logical relations TZ over A,B 
and S over B,C is a pre-logical relation over A,C. □ 

Composition is definable in terms of product, intersection and projection: 

S oTZ = 7Ti^3(.4. X S n TZ X C) 

Closure of pre-logical relations under these operations is a more basic property 
than closure under composition, and is not specific to binary relations. We have: 



Proposition 5.6. Pre-logical relations are closed under intersection, product, 
projection, restriction to a substructure, permutation and V. (Here, if TZ 
Ai X • • • X An then MTZ C A 2 x • • • x An is defined by (iTZy = {{ 0-2 ^ ^ «■«) | 

Vai e |cr]'^C(ai , U 2 , • • • ,£*«) € TZ'^}.) Logical relations are closed under product, 
permutation and V but not under intersection, projection or restriction to a sub- 
structure. □ 

A consequence of closure under intersection is that given a property P of 
relations that is preserved under intersection, there is always a least pre-logical 
relation satisfying P. We then have the following lambda-definability result (re- 
call Example 3.4 above): 
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Proposition 5.7. The least pre-logical predicate over a lambda U-applicative 
structure contains exactly those elements tha,t are the values of closed U-terms. 

□ 

In a signature with no term constants, a logical relation may be constructed 
by defining a relation R on base types and using the definition to “lift’^ R 
inductively to higher types. The situation is different for pre-logical relations: 
there are in general many pre-logical liftings of a given R, one being its lifting 
to a logical relation (provided this gives an admissible relation). But since the 
property of lifting a given R is preserved under intersection, the least pre-logical 
lifting of R is also a well-defined relation. Similarly for the least pre-logical 
extension of a given family of relations, for any signature. Lifting/extending 
a given family of relations to a logical relation is problematic for signatures 
containing higher-order term constants. 

It is easy to see that pre-logical relations are not closed under union. And 
even in a signature with no term constants, the class of pre-logical relations that 
lift a given relation R on base types cannot be endowed with a lattice structure in 
general. But the only logical relation in this class is one of its maximal elements 
under inclusion. 



6 Kripke Logical Relations with Varying Arity 

Definition 6.1 ([JT93]). Let C be a small category of sets and let A be a 
Henkin model. A Kripke logical relation with varying arity (^KLRwVA for short) 
over A is a family of relations R)f indexed by objects w of C and types a of 
Types[B), where the elements of Rf) are tuples of elements from Icr]*^ indexed 
by the elements ofw, such that: 

— If f : V ^ w is a map in C and Rff then 

jCzw Iff f f * t R.^l^App ^ hfi) T)iEv 

- Rf{lcj-^)gen. for every term constant c : a in U . 

(This extends Jung and Tiuryn’s definition to take term constants into account.) 

KLRwVAs give rise to pre-logical relations in a similar way to I-relations, see 
Example 3.8: the family of relations consisting of the w-indexed tuples which are 
in a given KLRwVA at world w is a pre-logical relation which is not in general a 
logical relation, and those elements which are invariant under a given KLRwVA 
(i.e. a € such that R)){a)j^yj for all w) also form a pre-logical predicate. 

More interesting is the fact that every pre-logical relation can be obtained in 
this way. We give the unary case; the binary and n-ary cases are obtained by 
instantiating to product structures. 

Proposition 6.2. Let V = C be a family of predicates 

over a Henkin structure A.V is a pre-logical predicate iff it is the set of elements 
of A which are invariant under some KLRwVA. □ 




Pre-logical Relations 



555 



7 Pre-logical Relations via Composition of Logical 
Relations 

Our weakening of the definition of logical relations may appear to be ad hoc, 
but for extensional structures it turns out to be the minimal weakening that is 
closed under composition. There are variants of this result for several different 
classes of models. We give the version for Henkin models. 

Proposition 7.1. Let A and B he Henkin models and let TZ he a pre-logical re- 
lation over A and B. Then TZ factors into a composition of three logical relations 
over Henkin models. 

Proof idea. Let A\X] and B{X] he obtained hy adding indeterminates to A and 
B respectively. TZ is the composition of: the embedding of A in A[X]; a logical 
relationTZ{X] on A[X] and B[X]; and the inverse of the embedding of B inB[X]. 

□ 

Corollriry 7.2. The class of pre-logical relations on Henkin models is the closure 
under composition of the class of logical relations on such structures. □ 

This gives the following lambda-definability result: 

Corollriry 7.3. Let A he a Henkin model and a <E Then (a, a) belongs to 

all relations over Ax A obtained by composing logical relations iff a = \M : 
for some closed X-term M : a. □ 

For non-extensional structures the notion of pre-logical relations is not the 
minimal weakening that gives closure under composition. The following variant 
is the minimal weakening for this case. 

Definition 7.4. An algebraic relation is extensional if whenever g) , f 

is extensionally equal to f and g is extensionally equal to g' , we have R'^^^{f' , g'). 

All pre-logical relations over extensional structures are automatically extensio- 
nal, and all logical relations over applicative structures (even non-extensional 
ones) are automatically extensional as well. 

Proposition 7.5. Let A and B be combinatory algebras and let TZ be an exten- 
sional pre-logical relation over A and B. Then TZ factors into a composition of 
three logical relations. □ 

Corollrury 7.6. The class of extensional pre-logical relations on combinatory 
algebras is the closure under composition of the class of logical relations on such 
structures. □ 

These results may suggest that our definition of pre-logical relations on non- 
extensional structures should be strengthened by requiring the relation to be 
extensional, but this would make the reverse implication of the Basic Lemma 
fail. So although the notion of extensional pre-logical relations is the minimal 
weakening that gives closure under composition, these are stronger than neces- 
sary to give the Basic Lemma. 
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8 Representation Independence and Data Refinement 

Logical relations have been applied to explain the fact that the behaviour of 
programs does not depend on the way that data types are represented, but only 
on what can be observed about them using the operations that are provided. 
“Behaviour of programs” is captured by the notion of observational equivalence. 



Definition 8.1. Let A and B he lambda S -applicative structures and let OBS , 
the observable types, he a subset of Types[B). Then A is observationally finer 
tha,n B with respect to OBS, written A <oBS B, if for a,ny two closed terms 
M,N : a for a e OBS such that [M : we have \M : cr]|® = 

IN : ct]|®. a and B are observationally equivalent with respect to OBS, written 
^ =OBS S, if A <oBS S and B <obs 

Usually OBS are the “built-in” types for which equality is decidable, for instance 
bool and/or nat. Then A and B are observationally equivalent iff it is not possible 
to distinguish between them by performing computational experiments. 

Mitchell gives the following representation independence result: 

Theorem 8.2 ([Mit96]). Let N be a signature that includes a type constant 
nat, and let A and B be Henkin models, with |nat]|'^ = |nat]|® = N. If there 
is a logical relation TZ over A and B with the identity relation on natural 
numbers, then A=paat} Conversely, if A=paat} Cl provides a closed term 
for each element o/N, and N only contains first- order functions, then there is a 
logical relation TZ over A and B with the identity relation. □ 

The following example (Exercise 8.5.6 in [Mit96]) shows that the requirement 
that N contains only first-order functions is necessary. 

Example 8.3. Let E have type constant nat and term constants 0,1,2,... : nat 
and / : [nat — t nat) — t nat. Let A be the full type hierarchy over |nat]|'^ = N 
with 0, 1,2, . . . interpreted as usual and |/]|'^(<7) = 0 for all : N — t N. Let B 
be like A but with |/]®(<7) = 0 if gr is computable and |/]|®(<7) = 1 otherwise. 
Since the difference between A and B cannot be detected by evaluating terms, 
A B. But there is no logical relation over A and B which is the identity 

relation on nat: if TZ is logical then gr) for any gr : N — ^ N, and 

then R^“'*fAppj^ [/l*^ QtZ^PPb I/l^ S')) which gives a contradiction if g is non- 
computable. □ 

We will strengthen this result by showing that pre-logical relations characte- 
rize observational equivalence for all signatures. We also generalize to arbitrary 
sets of observable types but this is much less significant. This characterization 
is obtained as a corollary of the following theorem which is a strengthening of 
Lemma 8.2.17 in [Mit96], again made possible by using pre-logical relations in 
place of logical relations. 

Theorem 8.4. Let A and B be lambda E-applicative structures and let OBS C 
Types [B). Then A <oBS B iff there exists a pre-logical relation over A and B 
which is a partial function on OBS . □ 
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(Mitchell’s Lemma 8.2.17 is the “if” direction for Henkin models where OBS = 
Types[B) but TZ is required to be logical rather than just pre-logical.) 

Corollriry 8.5. Let A and B be lambda U -applicative structures and let OBS C 
Types[B). Then A =oBS B iff there exists a pre-logical relation over A and B 
which is a partial function on OBS in both directions. □ 

Corollriry 8.6. Let B include a type constant nat and let A and B be lambda 
B-applicative structures with |nat]|'^ = [nat]® = N such tha,t B provides a closed 
term for each element o/N. There is a pre-logical relation TZ over A and B with 
ppaat identity relation on natural numbers iff A =paat} B. □ 

Example 8.7. Revisiting Example 8.3, the pre-logical relation constructed in Ex- 
ample 3.7 has the required property, and it does not relate non-computable fun- 
ctions since they are not lambda definable. □ 

In accounts of data refinement in terms of logical relations such as Sect. 2 
of [Ten94], the fact that logical relations do not compose conflicts with the 
experience that data refinements do compose in real life. Example 5.4 can be 
embellished to give refinements between data structures like lists and sets for 
which the logical relations underlying the refinement steps do not compose to 
give a logical relation, yet the data refinements involved do compose at an in- 
tuitive level. This failure to justify the soundness of stepwise refinement is a 
serious flaw. If pre-logical relations are used in place of logical relations, then 
the fact that the composition of pre-logical relations is again a pre-logical rela- 
tion (Prop. 5.5) explains why stepwise refinement is sound. This opens the way 
to further development of the foundations of data refinement along the lines of 
[ST88], but we leave this to a separate future paper, see Sect. 11. 



9 Other Applications 

There are many other applications of logical relations. Take for instance the 
proof of strong normalization of in [Mit96]: one defines an admissible logical 
predicate on a lambda applicative structure of terms by lifting the predicate on 
base types consisting of the strongly normalizing terms to higher types, proves 
that the predicate implies strong normalization, and then applies the general 
version of the Basic Lemma to give the result. The pattern for proofs of con- 
fluence, completeness of leftmost reduction, etc., is the same, sometimes with 
logical relations in place of logical predicates. There are also constructions that 
do not involve the Basic Lemma because the relations defined are not logical re- 
lations, but that include proofs following the same lines as the proof of the Basic 
Lemma. Examples include Gandy’s proof that the hereditarily strict monotonic 
functionals model Xj terms [Gan80], Plotkin’s proof that lambda terms satisfy 
any I-relation [Plo80], and Jung and Tiuryn’s proof that lambda terms satisfy 
any KLRwVA at each arity (Theorem 3 of [JT93]). 

All of these can be cast into a common mould by using pre-logical relations. If 
a relation or predicate on a lambda applicative structure is logical and admissible. 
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then it is pre-logical, and then the Basic Lemma for pre-logical relations gives 
the result. Plotkin’s, Jung and Tiuryn’s, and Gandy’s relations can be shown 
to be pre-logical (in Gandy’s case with respect to Aj), see Example 3.8, Sect. 6 
and Example 3.9 respectively, and then the application of the Basic Lemma for 
pre-logical relations gives the result in these cases as well. In each case, however, 
the interesting part of the proof is not the application of the Basic Lemma (or 
the argument that replaces its application in the case of Gandy, Plotkin, and 
Jung and Tiuryn) but rather the construction of the relation and the proof of 
its properties. The point of the analysis is not to say that this view makes the 
job easier but rather to bring forward the common pattern in all of these proofs, 
which is suggestive of a possible methodology for such proofs. 

Definition 9.1. A family of binary relations {R^ C [cr]'^ X creTypes{B) 

over a U-applicative structure A is a partial equivalence relation (abbreviated 
PEK,^ if it is symmetric and transitive for each type. 

Proposition 9.2. Let TZ be a PER on a E-applicative structure A which is 
algebraic. Define the quotient of A by TZ, written A/ TZ, as follows: 

- = i.e. the set of TZ- equivalence classes of objects a, <E 

such that R°'[a, a) . 

- [fU/TZ [a-U/TZ = [AppX fo]A/TZ 

- = [c]^/ 7 ^ for each term constant c : a in D . 

Then: 

1. Let A be a lambda applicative structure. Then A/TZ is a lambda applicative 
structure iff TZ is pre-logical. 

2. Let A be a combinatory algebra. Then A(TZ is a combinatory algebra iff TZ 
is pre-logical. 

3. A/TZ is an extensional applicative structure iff its restriction to the substruc- 
ture of A consisting of the elements in Dom[TZ) is a logical relation. □ 

The last part of the above proposition says that one application of logical rela- 
tions, that is their use in obtaining extensional structures by quotienting non- 
extensional structures — the so-called extensional collapse — requires a relation 
that is logical (on a substructure) rather than merely pre-logical. 

The above proposition allows us to prove completeness for different classes of 
structures using the traditional technique of quotienting an applicative structure 
of terms by a suitable relation defined by provability in a calculus. Eor non- 
extensional structures, this is not possible using logical relations because the 
relation defined by provability is pre-logical or algebraic rather than logical. 

10 Beyond and Applicative Structures 

Up to now we have been working in A^, the simplest version of typed lambda 
calculus. We will now briefly indicate how other type constructors could be 
treated so as to obtain corresponding results for extended languages. 
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As a template, we shall discuss the case of product types. The syntax of 
types is extended by adding the type form a x t and the syntax of terms is ex- 
tended by adding pairing {M,N) and projections tti M and 7T2 M. If we regard 
these as additional term constants in the signature, e.g. (•,•): cr —t r —t cr X r 
for all (7, r, rather than as new term forms, then the definition of pre-logical 
relations remains the same: the condition on term constants says that e.g. 

jg g|| jg requRed. For models that 
satisfy surjective pairing, this implies the corresponding condition on logical re- 
lations, namely 

— iff R'^{tvi a,TTi b) and R^{tv 2 a,TT 2 b)- 

The treatment of sum types ci + r is analogous. 

A type constructor that has received less attention in the literature is (finite) 
powerset, For lack of space we do not propose a specific language of terms 

to which one could apply the paradigm suggested above, but we claim that the 
notion of pre-logical relations over full type hierarchies would be extended to 
powersets by the addition of the following condition: 

— /3) iffVa € a.3b € (3.Rb^[a,b) and Vh € (33a € a.Rb^ (a,b) . 

Note that this is the same pattern used in defining bisimulations. The extension 
for other kinds of models remains a topic for future work. 

Various other kinds of types can be considered, including inductive and co- 
inductive data types, universally and existentially quantified types, and various 
flavours of dependent types. We have not yet considered these in any detail, but 
we are confident that for any of them, one could take any existing treatment 
of logical relations and modify it by weakening the condition on functions as 
above without sacrificing the Basic Lemma. We expect that this would even 
yield improved results as it has above, but this is just speculation. 

A different dimension of generalization is to consider models having additio- 
nal structure — e.g. Kripke applicative structures [MM91], pre-sheaf models or 
cartesian closed categories — for which logical relations have been studied. We 
have not yet examined the details of this generalization but it appears that a 
corresponding weakening of the definition would lead to analogues of the results 
above, cf. [PPS98]. 

11 Conclusions and Directions for Future Work 

Our feeling is that by introducing the notion of pre-logical relation we have, 
metaphorically and a little immodestly, removed a “blind spot” in the existing 
intuition of the use and scope of logical relations and related techniques. This 
is not to say that some specialists in the field have not previously contemplated 
generalizations similar to ours, but they have not carried the investigation far 
enough. We believe that in this paper we have exposed very clearly the fact that 
in many situations the use of logical relations is unnecessarily restrictive. Using 
pre-logical relations instead, we get improved statements of some results (e.g. 
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Theorem 8.4 and its corollaries), we encompass constructions that had previously 
escaped the logical paradigm (e.g. Example 3.9), and we isolate the necessary 
and sufficient hypotheses for many arguments to go through (e.g. Lemma 4.1). 
We have given several characterizations of pre-logical relations, summarized in 
the following theorem (for the unary case): 

Theorem 11.1. LetV = C Types (B) be a family of predicates over 

a Henkin structure A. The following are equivalent. 

1. V is a pre-logical predicate. 

2. V is closed under lambda definability. 

3. V is the set of elements of A which are invariant under some KLRwVA. 

f. V is the set of elements of A that are invariant under the composition of 
(three) logical relations. □ 

The fact that there are so many conceptually independent ways of defining the 
same class of relations suggests that it is a truly intrinsic notion. Notice that 
Thm. 11.1(3) gives an inductive flavour to this concept which is not explicit in 
the definition of pre-logical relation; this apparent lack has been regarded as a 
weakness of the concept, see e.g. p. 428-429 of [Mit90]. 

Throughout the paper we have indicated possible directions of future inve- 
stigation, e.g. with respect to richer type theories. It is plausible that sharper 
characterizations of representation independence will appear in many different 
type contexts. 

But probably the area where the most benefits will be achieved will be that 
of the foundations of data refinement. Here we think that a more comprehensive 
explanation of data refinement would be obtained by combining an account in 
terms of pre-logical relations with the first-order algebraic treatment in [ST88] 
which we would expect to extend smoothly to higher-order. Among other im- 
provements, this would result in a non-symmetric refinement relation, giving a 
better fit with the real-life phenomenon being modelled. 

There is a vast literature on logical relations in connection with areas like 
parametricity, abstract interpretation, etc. A treatment of these topics in terms 
of pre-logical relations is likely to be as fruitful and illuminating as it has proved 
to be for the classical example of simply-typed lambda calculus presented here. 

Acknowledgements: Thanks to Samson Abramsky, Jo Hannay, Martin Hof- 
mann, Andrew Kennedy, Yoshiki Kinoshita, John Mitchell, Peter O’Hearn, Gor- 
don Plotkin, John Power and Ian Stark for helpful comments. This work has been 
partially supported by EPSRC grant GR/K63795, an SOEID/RSE Support Re- 
search Eellowship, the ESPRIT-funded CoEI and TYPES working groups, and 
a MURST’97 grant. 




Pre-logical Relations 



561 



References 



[AbrQO] 

[GanSO] 

[JT93] 

[KOPTT97] 

[Mit90] 

[Mit96] 

[MM91] 

[PI08O] 

[PPS98] 

[Rob96] 

[ST88] 

[Sch87] 

[Sta85] 

[Ten94] 



S. Abramsky. Abstract interpretation, logical relations, and Kan exten- 
sions. Journal of Logic and Computation 1:5-40 (1990). 

R. Gandy. Proofs of strong normalization. In: To H.B. Curry: Essays on 
Combinatory Logic, Lambda, Calculus and Formalism, 457-477. Acade- 
mic Press (1980). 

A. Jung and J. Tiuryn. A new characterization of lambda definability. 
Proc. TLCA’93. Springer LNGS 664, 245-257 (1993). 

Y. Kinoshita, P. O’Hearn, J. Power, M. Takeyama and R. Tennent. An 
axiomatic approach to binary logical relations with applications to data 
refinement. Proc. TACS’97, Springer LNGS 1281, 191-212 (1997). 

J. Mitchell. Type Systems for Programming Languages. Ghapter 8 of 
Handbook of Theoretical Computer Science, Vol B. Elsevier (1990). 

J. Mitchell. Foundations for Programming Languages. MIT Press (1996). 
J. Mitchell and E. Moggi. Kripke-style models for typed lambda calculus. 
Anna, Is of Pure And Applied Logic 51:99-124 (1991). 

G. Plotkin. Lambda-definability in the full type hierarchy. In: To U.P. 
Curry: Essays on Combinatory Logic, Lambda Calculus and Formalism, 
363-373. Academic Press (1980). 

G. Plotkin, J. Power and D. Sannella. A composi- 
tional generalisation of logical relations. Draft report, 

http://www.dcs . ed.ac.uk/home/dts/pub/laxlogrel.ps (1998). 

E. Robinson. Logical relations and data abstraction. Report 730, Queen 
Mary and Westfield Gollege (1996). 

D. Sannella and A. Tarlecki. Toward formal development of programs 
from algebraic specifications: implementations revisited. Acta Lnforma- 
tica 25:233-281 (1988). 

O. Schoett. Data Abstraction and the Gorrectness of Modular Program- 
ming. Ph.D. thesis GST-42-87, Univ. of Edinburgh (1987). 

R. Statman. Logical relations and the typed lambda calculus. Lnforma- 
tion and. Control 65:85-97 (1985). 

R. Tennent. Gorrectness of data representations in Algol-like languages. 
In: A Classical Mind: Essays in. Honour of C.A.R. Hoare. Prentice Hall 
(1994). 




Data Refinement for Call-By- Value 
Programming Languages* ** 



Yoshiki Kinoshita^ and John Power^ 

^ Electrotechnical Laboratory, 1-1-4 Umezono, Tsukuba-shi, Ibaraki, 305 Japan 
Laboratory for the Foundations of Computer Science, University of Edinburgh, 
King’s Buildings, Edinburgh EH9 3JZ, Scotland 



Abstract. We give a category theoretic framework for data-refinement 
in call-by-value programming languages. One approach to data refine- 
ment for the simply typed A-calculus is given by generalising the notion 
of logical relation to one of lax logical relation, so that binary lax lo- 
gical relations compose. So here, we generalise the notion of lax logical 
relation, defined in category theoretic terms, from the simply typed A- 
calculus to the computational A-calculus as a model of data refinement. 

1 Introduction 

A fundamental tenet of data refinement is that data refinements compose, i.e., 
if M refines A, and N refines F, then M refines F. This fact has meant that, 
although in principle, one would expect logical relations to model data refine- 
ment, that has not been possible because binary logical relations do not com- 
pose (see [20]). In response to that problem, there have been attempts to extend 
the notion of logical relation to a notion of lax logical relation, retaining the 
fundamental features of logical relations but allowing composition. From a ca- 
tegory theoretic perspective, these include [10] and [20], generalising Hermida’s 
approach to logical relations in [3]. 

For the simply typed A-calculus generated by a signature A, (we recall with 
detail in Section 2 that) to give a logical relation is equivalent to giving a strict 
cartesian closed functor from the cartesian closed category L determined by the 
term model for F, to Rel 2 , the cartesian closed category for which an object 
is a pair of sets X and Y together with a binary relation R from A to F. A 
lax logical relation is exactly the same except that the functor from L to Rel 2 
although still required to preserve finite products strictly, equivalently, to respect 
contexts, need not preserve exponentials. There is a syntactic counterpart to this 
(see Section 2), but the above is the most compact definition. 
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More generally, the work of [3,10,20] (see also [7]) has addressed data refine- 
ment, or lax logical relations, where the term model is a category with algebraic 
structure, as is common in purely logical situations (see [16]) such as the simply 
typed A-calculus. But in a call-by- value programming language such as ML, one 
needs to distinguish carefully between computational expressions and values, lea- 
ding to consideration of a pair of categories, one generated by arbitrary terms, 
the other generated by values, with a functor from the second to the first. So, in 
order to generalise the above notion of lax logical relation to call-by- value pro- 
gramming languages, we require a careful exploration of the distinction between 
expressions and values, and exactly how finite products, modelling contexts, ge- 
neralise to account for the distinction. So this paper is devoted to a category 
theoretic account of data refinement for call-by-value languages, the primary 
point being the careful distinction between arbitrary terms and values. 

For concreteness, we consider the call-by-value language given by the compu- 
tational A-calculus, or Ac-calculus, as introduced by Moggi in [17]. This provides 
a natural fragment of a range of call-by- value languages such as ML. The A^- 
calculus has a sound and complete class of models, each of which is given by a 
category C with finite products and a strong monad T on C, such that T has 
Kleisli exponentials (see Section 3). 

In order to generalise the account of data-refinement in [20] from the A- 
calculus to the Ac-calculus, we need to characterise this class of models in terms 
of some mild generalisation of the notion of category with finite products, subject 
to a closedness condition like that in cartesian closedness. So in Section 3, we 
characterise the models of the Ac-calculus as closed Trej/d-categories, where 
the notion of FVej/d-category (cf [22]) generalises that of category with finite 
products and models contexts, while the notion of closedness generalises that in 
the definition of cartesian closed category (cf [21]). A lax logical relation for the 
Ac-calculus is then a FVej/d-functor from the term model of a given signature 
into an appropriate Fr eyd-category generalising the category Rel 2 above. The 
definition of a Fr eyd-category appears in Section 4. 

In order to give a Basic Lemma for lax logical relations and hence for data 
refinement, we require several axioms all of similar form, such as the axiom 
that if f R(^xxy)^z ffi then Curry[f) Rx^Y^Z Gurry[g). In principle, we need 
one axiom for each term-constructor of the language, together with axioms for 
unCurrying and to ensure that values are respected. These axioms weaken the 
usual logical relation axiom, which says that two functions are related if and 
only if they send related arguments to related results. So in Section 4, we give a 
Basic Lemma and explain its use in data refinement. 

There are several generalisations of the above analysis, most of which may 
be made using current techniques. We can generalise from set-theoretic models 
of a language to models in an arbitrary closed Fr eyd-category. We thus take 
our relations in an arbitrary Fr eyd-category too, with a little extra data and 
conditions, this Fr eyd-category generalising the category of binary relations, 
cf [15]. Also, we can extend from the Ac-calculus to other languages, for instance 
incorporating coproducts. In general, our notion of lax logical relation extends 
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to any language extending the Ag-calculus and given by algebraic structure in 
a sense we can make precise (see [19]). We can also account for representation 
independence following [10], For space reasons, we must defer this. 

There has been an enormous amount of work on data refinement. Much of it 
stems from Hoare’s original paper on data representation [4]. Later, Hoare [5], 
then Hoare and He Jifeng [6], developed a category theoretic account of data 
refinement (see [11] for a recent account in standard category theoretic terms 
and see [13] for application of these ideas in practice). In that account, data 
refinements do compose, but as originally described, it is limited for higher order 
structure such as that of the Ac-calculus, as explained by Tennent in [23]. In 
fact, the construction of this paper generalises that of Hoare and He by treating 
functions as single- valued relations. Tennent in turn advocated the use of logical 
relations, for which a general text is [16] and for which a category theoretic 
account is given in [3]. As we have explained, binary logical relations do not 
compose, so one seeks a mild generalisation of logical relations (see [10,20] and 
the work herein) in order to have the advantages of both Hoare’s formulation, 
which admits composability, and logical relations, which admit an account of 
higher order structure. An alternative is to consider call-by- value languages with 
data refinement modelled by predicate transformers, as David Naumann has 
done in [18]. There has been plenty of other work on data refinement too, but 
not from a category theoretic perspective, for instance [2]. 

The most closely related work other than that detailed in Section 2 is that 
of [10]. The key differences are that here, we address call-by- value languages; we 
also insist that contexts be preserved, motivating our key definitions of Section 3; 
but we do not address representation independence, which was the central com- 
putational issue addressed in that paper. Later, we plan to extend this work, 
using the insights of that paper, to account for representation independence. 

The paper is organised as follows. In Section 2, we recall the definition of lax 
logical relation for the simply typed A-calculus and we set notation. In Section 3, 
we introduce the notion of FVej/d-category and characterise the models of the 
Ac-calculus as closed Trej/d-categories. Finally, in Section 4, we show how our 
definitions may be used to model data refinement. A more substantial use of our 
whole body of work on data refinement appears in [13]. 



2 Lax Logical Relations for the Simply Typed A-Calculus 

In this section, we review the work of [20], generalising logical relations to lax 
logical relations: the latter, unlike the former, compose, in the sense that if R is 
a lax logical relation from M to N and S' is a lax logical relation from N to P, 
then the pointwise composite of relations Ro S is a lax logical relation from M 
to P. That makes lax logical relations, unlike logical relations, apposite for data 
refinement (see also [10]). Accompanying the definition of lax logical relation is 
a generalisation of the Basic Lemma of logical relations, allowing one to check a 
data refinement by checking that basic operations are respected: that is the other 
central tenet of data refinement, in addition to composability, as advocated, for 
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instance, by Hoare [5], Each of these conditions separately is easy to achieve; 
the combination is more difficult in the presence of higher order structure, and 
it is that combination that is the topic of this paper. 

We give a detailed exposition of the work in [20] as we need the various 
definitions later. 

Let 27 be a signature of basic types and terms for the simply typed A-calculus 
with products, generating a language L. Let a and r be any types in L. We denote 
the set of functions from a set X to a set Y by [X, Y], 

Definition 1. A model M of L in Set consists of 

— for each a, a set Ma-, such that Mo-^t = [Men TWr]? x M.^, and 

Ml = 1 

— for each base term c of X of type a, an element M (c) of M^. 

A model extends inductively to send each judgement A h t : o of L to a 
function from Mr to Ma, where Mr Is the evident finite product in Set. Given 
a signature 27 and two interpretations, M and N, of the language L generated 
by X, we say 

Definition 2. A binary logical relation from M to N consists of, for each type 
a of L, a relation 

RaCMaX Na (1) 



such tha,t 

— for all feMa^T nnd geNa^a, we hare fRa^aQ if nnd only if for all {x,y)eMaX 
Na, if X Ray, then f{x) Rr g{y) 

— for all [xo,xi)eMa X Mr and [yo,yi)eNa x Nr, we have (xq, xi) Raxr (j/o,J/i) 
if and only if xo Ra Vo and xi Rr yi 

— 1 i?i 1, where 1 is the unique element of Mi = Ni = I 

— M (c) Ra N[c) for every base term c in X of type a. 

The data for a binary logical relation is completely determined by its behaviour 
on base types. The fundamental result about logical relations is as follows. 

Definition 3. (The Basic Lemma) Let R be a binary logical relation. Then for 
any term t : a of L in context T, if x Rr y, then M[T \~ t)x Ra A(T h t)y. 

We now outline a category theoretic formulation of logical relations [3]. The 
language L generates a cartesian closed category, which we also denote by L, 
such that a model M of the language L in any cartesian closed category such as 
Set extends uniquely to a functor M : L — t Set that preserves cartesian closed 
structure strictly [14]. We may therefore identify the notion of model of the 
language L with that of a functor strictly preserving cartesian closed structure 
from L into Set. 
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Definition 4. The category Rel 2 is defined as follows: an object consists of a 
pair [X,Y) of sets and a binary relation R from X to Y ; a map from [X,R,Y) 
to {Xf R' , Y') is a pair of functions (/ : X — ^ Xf g : Y — ^ Y') such that x Ry 
implies f[x)R!g[y); composition is given by ordinary composition of functions. 
We denote the forgetful functor from Reh to Set x Set sending (X.R.Y) to 
(X,y) by [6o,5i) : Reh Set x Set. 

The category Reh is cartesian closed, and the cartesian closed structure is 
preserved by (ho, hi). We typically abbreviate Reh by Rel when the context is 
clear. 

Proposition 1. To give a binary logical relation from M to N is equivalent to 
giving a functor R : L — ^ Rel strictly preserving cartesian closed structure, 
such that (ho,hi)i?= [M,N). 

This proposition is developed and extended in [3], giving a category theoretic 
treatment of logical relations in terms of fibrations with structure. 

It is more conceptual and compact to express the notion of lax logical relation 
in category theoretic terms, then characterise the definition in more syntactic 
terms, extending but reversing Proposition 1. 

Given a signature X and the language L generated by if, and two models M 
and of L in Set, we say 

Definition 5. A binary lax logical relation from M to N is a functor R : L — ^ 
Rel strictly preserving finite products such that [do,Si)R = [M, N). 

From the perspective of this definition, the Basic Lemma for lax logical rela- 
tions is a triviality because the definition amounts to the assertion that for any 
term t of L of type a in context T , if x Rp y, then M[T \~ t)x R,j N (T \~ f)y. So 
we may express the Basic Lemma as giving an equivalence between the above 
definition and one in more syntactic terms as follows. 

Theorem 1. (The Basic Lemma) To give a lax logical relation from M to N is 
to give for each type a of L, a relation 

R^CM^x N, ( 2 ) 



such tha,t 

1. iffoRa-rrOo and fiR^^pgi, then {fo, fi) {go, 9i) 

2. TTo and tti 

3- if f R(axr)^P 9, then Curry{f) Ra^r-fp Curry {g) 

4. e^>i^(^x(c^^T))^T ew 

5. if f Ra-^T 9 and f R-r-tp 9' > then ff Ra-rp 9' 9 

6. id Ra-^a-id 

7. X Rcr y if and only if x R\^a V 

8. M (c) R,j N {c) for every base term c in X of type a. 
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The key point of the proof is that every map in the category L is generated by 
the terms appearing in the above axioms. In these syntactic terms, the difference 
between logical relations and lax logical relations is that for the former, / Rg if 
and only if fx R gy whenever x Ry, but the reverse direction of that equivalence 
does not hold for lax logical relations: it is replaced by a more complex set of 
rules. 

Finally, in justifying our definition for the purposes of data refinement, we 
have 

Proposition 2. If R and S are binary lax logical relations, then so is the com- 
posite of relations Ro S. 

To see an example of a lax logical relation that is not a logical relation, simply 
take a pair of non-trivial logical relations and compose them: by the proposition, 
their composite will be a lax logical relation, but the composite is almost never 
logical. 



3 Models of the Computational A-Calculus 

In this section, we give a version of the computational A-calculus, or Ac-calculus, 
and analyse its models. For the simply typed A-calculus, it was essential, in 
defining the notion of lax logical relation, to understand its models as cartesian 
categories with a closedness property. So in generalising the notion of lax logical 
relation to the Ag-calculus, we seek to characterise its models as a generalisation 
of the notion of category with finite products, subject to a closedness condition 
like that for cartesian closed categories. In order to do that, we characterise 
Ag-models as closed Trej/d-categories. 

There are several equivalent formulations of the Ac-calculus. We shall not use 
the original formulation but one of the equivalent versions. The Ac-calculus has 
type constructors given by 

X ::= B \ Xi y. X 2 \ l \ X ^ Y (3) 

where B \s a. base type. We do not assert the existence of a type constructor TX : 
this formulation is equivalent to the original one because TX may be defined to 
be 1 X . 

The terms of the Ac-calculus are given by 

e ::= x | 6 | eT | Xx.e | * | (e, e') \ 7Tj(e) (4) 

where x is a variable, fe is a base term of arbitrary type, =i< is of type 1, with tTj 
existing for i = 1 or 2, all subject to the evident typing. Again, this differs from 
the original formulation in that we do not explicitly have a let constructor or 
constructions [e] or g{e). Again, the two formulations are equivalent as we may 
consider let x = e in e' as syntactic sugar for (Ax.e')e, and [e] as syntactic sugar 
for Ax.e where x is of type 1, and /x(e) as syntactic sugar for e(=i<). 
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The Ag-calculus has two predicates, existence, denoted by J,, and equivalence, 
denoted by =. The J, rules may be expressed as saying * J,, x J,, Ax.e J, for all e, if 
e 4- then 7Ti(e) 4-, and similarly for (e, e'). A value is a term e such that e 4- The 
rules for = say = is a congruence, with variables allowed to range over values, 
and give rules for the basic constructions and for unit, product and functional 
types. It follows from the rules that types together with equivalence classes of 
terms form a category, with a subcategory determined by values. 

It is straightforward, using the original formulation of the Ac-calculus in [17], 
to spell out the inference rules required to make this formulation agree with the 
original one: one just bears in mind that the models are the same, and we use 
syntactic sugar as detailed above. Space does not allow a list of the rules here. 

The Ac-calculus represents a fragment of a call by value programming lan- 
guage. In particular, it was designed to model fragments of ML, but is also a 
fragment of other languages such as FPC (see [1]). For category theoretic mo- 
dels, the key feature is that there are two entities, expressions and values, so the 
most direct way to model the language as we have formulated it is in terms of a 
pair of categories V and E, together with an identity on objects inclusion fun- 
ctor J : V — ^ E, subject to some generalisation of the notion of finite product 
in order to model contexts, further subject to a closedness condition to model 
X ^ Y. This train of thought leads directly to the notion of closed Freyd- 
category, which we shall compare with the original formulation of the class of 
models. 

A sound and complete class of models for the Ac-calculus was given by Moggi 
in [17]: a model consists of a category C with finite products, together with a 
strong monad T on G, such that T has Kleisli exponentials, i.e., for each pair 
of objects X and Y, there exists an object X ^Y such that C[Z X X,TY) is 
isomorphic to G[Z,X Y) for all Z, naturally in Z. 

We recall the definitions of premonoidal category and strict premonoidal 
functor, and symmetries for them, as introduced in [21] and further studied 
in [19]. We use them to define the notion of Fr eyd-category. A premonoidal 
category is a generalisation of the concept of monoidal category: it is essentially a 
monoidal category except that the tensor need only be a functor of two variables 
and not necessarily be bifunctorial, i.e., given maps / : X — ^ Y and /' : X' — ^ 
Y', the evident two maps from X ® X' to Y ®Y' may differ. 

In order to make precise the notion of a premonoidal category, we need some 
auxiliary definitions. 



Definition 6. A binoidal category is a category K together with, for each object 
X of K , functors hx '■ F — ^ A and kx '■ F — t F such tha,t for each pair 
[X, Y) of objects of F , hxY = kyX. The joint value is denoted X ®Y . 
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Definition 7. An arrow f : X — ^ X' in a hinoidal category K is central if for 
every arrow g : Y — ^ Y' , the following diagrams commute 



X(g)Y 



X ® g 



X(g)Y' Y(E)X 



g ® X 



Y'(E)X 



f(E)Y f(g)Y' 



Y(E)f Y'(g)f 



X'(x)Y 



X'®g 



X'(E)Y' X®X' 



g®X' 



Y'(E)X' 



A natural transformation a : G =► H : C — ^ K is called central if every 
component of a is central. 

Definition 8. A premonoidal category is a hinoidal category K together with 
an object I of K , and central natural isomorphisms a with components (df ® V)® 
Z — > X®{Y ® Z), I with components X — ^ X ® 1 , and r with components 
X — ^ / ® X , subject to two equations: the pentagon expressing coherence of a, 
and the triangle expressing coherence of I and r with respect to a (see [9] for an 
explicit depiction of the diagrams). 



Proposition 3. Given a strong monad T on a symmetric monoidal category 
G , the Kleisli category Klifl) for T is a premonoidal category, with the functor 
J : G — ^ Klfr) preserving premonoidal structure strictly: a monoidal category 
such as G is trivially a premonoidal category. 

So a good source of examples of premonoidal categories in general is provided 
by Moggi’s work on monads as notions of computation [17]. 

Definition 9. Given a premonoidal category K , the centre of K , denoted Z[K), 
is the subcategory of K consisting of all the objects of K and the central mor- 
phisms. 

Given a strong monad on a symmetric monoidal category, the base category G 
need not be the centre of Klifl). But, modulo the condition that J : G — ^ Kl((T) 
be faithful, or equivalently, the mono requirement [17,21], i.e., the condition that 
the unit of the adjunction be pointwise monomorphic, it must be a subcategory 
of the centre. 

The functors /ja and JtA preserve central maps. So we have 

Proposition 4. The centre of a premonoidal category is a monoidal category. 

This proposition allows us to prove a coherence result for premonoidal cate- 
gories, directly generalising the usual coherence result for monoidal categories. 
Details appear in [21]. 

Definition 10. A symmetry for a premonoidal category is a central natural 
isomorphism, with components c : X(i>Y — t Y (i>X , satisfying the two conditions 
= 1 and equality of the evident two maps from [X G Y ) G Z to Z ® [X ® Y ) . 
A symmetric premonoidal category is a premonoidal category together with a 
symmetry. 
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Symmetric premonoidal categories are those of primary interest to us, and 
seem to be those of primary interest in denotational semantics in general. 

Definition 11. A strict premonoidal functor is a functor that preserves all the 
structure and sends central maps to central maps. 

One may similarly generalise the definition of strict symmetric monoidal 
functor to strict symmetric premonoidal functor. 

We say a functor is the identity on objects when the object part of the functor 
is the identity function, and therefore both sets of objects are the same. 

Definition 12. A Freyd- category consists of a category C with finite products, 
a symmetric premonoidal category K , and an identity on objects strict symmetric 
premonoidal functor J : C — t K . A strict Freyd- functor consists of a pair of 
functors that preserve all the Freyd- structure strictly. 



Definition 13. A Freyd- category J : C — t K is closed if for every object X , 
the functor J[X ® —) : G — ^ K has a right adjoint. A strict closed Freyd- 
functor is a Freyd- functor that preserves all the closed structure strictly. 

Observe that it follows that the functor J : C — t K has a right adjoint, 
and so K is the Kleisli category for a monad on G . We sometimes write K for a 
Frey d-category, as the rest of the structure is usually implicit: often, it is given 
by A[K) and the inclusion. 

A variant of one of the main theorems of [19] is 

Theorem 2. To give a closed Freyd-category is to give a category G with finite 
products together with a strong monad T on G together with assigned Kleisli 
exponentials. To give a strict closed Freyd- functor is to give a strict map of 
strong monads that strictly preserves Kleisli exponentials. 

Observe that given a category G with finite products and a strong monad T 
on it, Kl(fT) is a Freyd-category. A functor preserving the strong monad and 
the finite products strictly yields a strict Arej/d-functor, but the converse is not 
true. 

It follows from Moggi’s result, but may also be proved directly, that clo- 
sed Arej/d-categories provide a sound and complete class of models for the Ac- 
calculus. 



4 Data Refinement for the Ac-Calculus 

In this section, we use our analysis of the computational A-calculus of Section 3 
to generalise our account of data refinement, or lax logical relations, for the 
simply typed A-calculus as in Section 2. 

For concreteness, we shall consider S'et-based models of the Ac-calculus. So 
assume we are given a monad T on Set. Every monad on Set has a unique 
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strength, and Kleisli exponentials always exist. So if we denote the Kleisli ca- 
tegory by Set'i, then Set-i is a closed Fr eyd-category (leaving Set and the 
canonical functor J : Set — t Set^ implicit by the convention we adopted in 
the preceding section). Given a signature F for the Ac-calculus, let L denote the 
closed Freyd-category, equivalently the Ac-model, generated by F. Extending 
our convention for the A-calculus, and following Hoare’s convention in his mo- 
delling of data refinement [ 5 , 11 ], we identify the language generated by F with 
the closed Freyd-category L. We denote the subcategory of values by with 
inclusion J : ^ L. Extending one of the equivalent formulations of Section 2 

for the simply typed A-calculus, we say 

Definition 14. A model M of in Setx is a strict closed Freyd- functor from 
L„ to Setj' . 

We shall give an example of this and later definitions at the end of the 
section. We now need to generalise the construction Rel2 to an appropriate 
Freyd-category. Recall that Rel2 has finite products, and that they are preserved 
by the two projections to Set. 

Proposition 5. Given a monad T on Set, the following data forms a Freyd- 
category Rel2T together with a pair of strict Freyd- functors from Rel2T to Set^: 

— the category Rel2 as defined in Section 2 

— the category Rel2x with the same objects as Rel2 hut with an arrow from 
[X,R,Y) to [X' ,R' ,Y') given by maps f : X — t TX' and g : Y — t TY' 
such tha,t there exists a map h : R — t TR' commuting with the projections, 
with the evident composition 

— the canonical functor J : Rel2 — t Rel2T 

— the projections ho, hi : Rel2T — t Setqp. 

The functor J : Rel2 — ^ Rel2T has a right adjoint given by sending a 
relation [X,R,Y) to the pair ifl'X, TY) together with the subobject of TX x TY 
determined by the projections from TR. It follows that Rel2T is closed and is 
therefore a Ac-model. Axiomatically, that is because Rel2 is cartesian closed 
and Set has epi-mono factorisations. We avoid an assumption that T preserves 
jointly monic pairs because it is not true of powerdomains: a powerdomain is a 
construct for modelling nondeterminism, a slightly simplified version of one being 
the endofunctor on Set that sends a set X to its set of finite subsets, Ff[X), with 
the operation of the endofunctor on maps given by taking the image of each finite 
subset. A jointly monic pair in Set amounts to a pair of sets [X,Y) together 
with a subset Roi X x Y . Our point here is that the set of finite subsets Ff{R) 
of R need not be exhibited by the functor Ff as a subset of Ff[X) x Ff[Y), as 
for instance can be seen by taking X and Y both to be two element sets with 
R their product. Eor notational simplicity, we abbreviate Rel2T by Relj' where 
the context is clear. 

Observe that one could extend logical relations from the A-calculus to the 
Ac-calculus by treating a logical relation for the Ac-calculus as a strict closed 
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Frej/d-functor, or equivalently a map of A^-models, from L to Relqp commuting 
with the projections. 

We now extend our definition of lax logical relation from the simply typed 
A-calculus to the Ag-calculus. The central idea is to relax preservation of all 
structure to preservation of that structure required to model contexts, i.e., to 
Trej/d-structure. 

Definition 15. A binary lax logical relation from M to N is a strict Freyd- 
functor R : L — ^ Relj- such that {Sq,Si)R = 

It is not automatically the case that a pointwise composite of binary lax 
logical relations is again a binary lax logical relation. That requires an extra 
condition on the monad T on Set. The central point is that we must consider 
when the composite of two binary relations extends from Rel2 to Rel2T] the 
condition we need is that T weakly preserves pullbacks, i.e., that if 



F 



h 



X 



k 



k' 



Y 



h' 



Z 



is a pullback, then the diagram 



TP 



Th 



TX 



Tk 



Tk' 



TY 



Th' 



TZ 



satisfies the existence part of the definition of pullback. This condition is the 
central condition used to analyse functional bisimulation in [ 8 ] with several of 
the same examples. Examples of such monads are powerdomains. S' =y (S' x — ) 
for a set S, as used for modelling side-effects, and similarly for monads used for 
modelling partiality, or exceptions, or combinations of the above. It does not 
seem to hold of the monad (— =► if) =y if as has been used to model continua- 
tions; but that does not concern us greatly, as data refinement for continuations 
seems likely to follow a different paradigm to that adopted here anyway. 

Theorem 3. LetT he a monad on Set that weakly preserves pullbacks. Then for 
any lax logical relations R : L — t Relj- and S : L — t Relj- such that 6iR= 6 qS , 
the pointwise composite of relations yields a lax logical relation Ro S. 

The proof requires one use of the fact that strong epimorphisms in Set are 
retracts. One can avoid it by a more delicate use of epi-mono factorisations. 
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allowing the result to extend from Set to a regular cartesian closed category. 
There would be more difficulty if we demanded that a lax logical relation preserve 
not merely Trej/d-structure but also the monad, as one would need a condition 
such as T preserving strong epimorphisms, contradicting examples such as T = 
S^{Sx~). 

There are two central assertions in our definition: every map in L is sent to a 
map in Relr, and every map in is sent to a map in Rel. Given models M and 
N of L, the first condition says that for every expression in context, T h e : c, if 
X Rp y, then M[F \~ e : a)x is related to N [F e : a)y by the relation generated 
by TRa- For instance, if T was a powerdomain, then for any nondeterministic 
program, if two inputs are related, for every possible output of either, there is 
a related possible output of the other, as in bisimulation. The second condition 
says that if one has a value, then if xRpy, one must have the stronger result 
that M[F \- e : a)x R^ N{F h e : a)y So for instance, A-terms are related in the 
usual way. So our definition of lax logical relation amounts to the conclusion of 
a statement of a Basic Lemma for lax logical relations. 

Using our definition as a conclusion, we now give a generalised Basic Lemma 
for lax logical relations for the Ac-calculus, generalising our result in Section 2. 
Thus we seek syntactic conditions that imply that every map in L is sent to 
a map in Relp and that every map in is sent to a map in Rel. Owing to 
the presence of A-abstraction, every map in L is the unCurrying of a map in 
Lv with domain 1, so except for one condition saying that unCurrying preserves 
relations, we need only give conditions about maps in L^. The list of axioms 
may seem long, but it is not much longer than that in Section 2, and the axioms 
correspond closely to the type and term constructors of the language. The key 
point is that there is no converse to the final axiom: a converse would give a 
notion of logical relation and would disallow composability. 

Theorem 4. (The Basic Lemma) To give a lax logical relation from M to JS is 
to give for each type o of L, a relation 

Ra^M^X (5) 



such that 

R '^f fo Ra^r 9o aud f\ Rq-^p then (/o, /i) Ra^ii-xp) {dOi 

2. TTq Ra-xr^a'^O 0/0x1 7T-\_ Rq-xtX-t '^1 

3. if f R(crxr)=Fp9^ then Curry {/) Ra=^r=sp Curry [g] 
ev 

5. if f Ra-^T ff f / 7 then ff Ra^p g'g 

6. id Ra-^a-id 

7. rj[M[c)) y(A^(c)) for every base term c in X of type a 

8. if xR^y and f Ry^y^p g, then fx R^^p gy 

g. {xo,xi) Ray.r{yo,yi) if and only if xo R^yo andxiR^yi 

10. !|< Rl !|< 

11. if X Ri^^y , then T[R^) induces a relation between x[/) andyf/). 
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Proof. For the forward direction, the relations are given by the object part of 
the strict Fj-gj/d- functor. The first ten conditions follow from the fact that has 
an action on all maps, and from the fact that it strictly preserves finite products. 
For instance, there is a map in from (cr =y r) X (ct =y p) to cr =y (r X p), so that 
map is sent by to a map in Ref and R^j strictly preserves finite products, 
yielding the first condition. So using the definition of a map in Ref and the 
fact that [do,Si)R = and the fact that M and N are strict structure 

preserving functors, we have the result. The final condition holds because R is 
a functor. 

For the converse, the family of relations gives the object part of the strict 
Trej/d-functor R. The ninth and tenth axioms imply that R^j strictly preserves 
finite products if it forms a functor. The data for M and N and the coherence 
condition (do, Si)R = (M, N) on the putative strict Trej/d-functor determine its 
behaviour on maps. It remains to check that the image of every map in L lies in 
Rel'i and the image of every map in lies in Rel. The first seven conditions 
inductively define the Currying of every map in L, so unCurrying by using the 
sixth, eighth, fifth and eleventh conditions, it follows that R is a functor. The 
eighth, ninth, and tenth conditions ensure that R restricts to a functor from 
to Rel. It is routine to verify that these constructions are mutually inverse. 

One might wonder why we require the ninth and tenth conditions here while 
they do not appear in Theorem 1. The reason is that the seventh condition of 
Theorem 1 mirrors an equivalence that holds for the simply typed A-calculus but 
does not hold for the computational A-calculus, the equivalence being that a is 
equivalent to 1 — t c. That condition allows one to deduce ordinary A-calculus 
versions of our ninth and tenth conditions here. The failure of that equivalence for 
the computational A-calculus is also why our eleventh condition here corresponds 
to only one direction of the seventh condition of Theorem 1 too: for the eleventh 
condition, we use the expression induce because T[Ra-) might not be a subobject 
of T[a) X T[t) but it does have an epi-jointly monic factorisation, and that is 
what we intend. 

Finally, we shall consider an example to see how this all works in practice. 

Example 1. Consider the computational A-calculus L stack generated by the data 
for a stack. We have base types Stack and Nat, and we have base terms inclu- 
ding pop and push. The intended semantics of the unCurrying of pop is a partial 
function from M (Stack) to M (Stack), with M (Stack) being the usual set of 
stacks. The partiality of the intended semantics for pop is the reason it is con- 
venient to consider the computational A-calculus here rather than the ordinary 
A-calculus. Let M be the intended semantics for stacks in Set±, where _L is the 
usual lifting monad on Set. Recall, or note, that _L weakly preserves pullbacks, 
so our composability result holds. Let be a model of Lstack in Set±_ genera- 
ted by modelling stacks in terms of trees, so N (Stack) is the set of non-empty 
finite trees. Define a logical relation from M to W by defining it on base types 
as the identity on Nat and on Stack, by the usual relationship between stacks 
and trees. This respects base terms, so it automatically lifts to higher types. We 
might further define a model P of Lstack in Set± by modelling stacks by lists of 
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natural numbers. We then have a logical relation S from N to P generated by 
the identity on Nat and on Stack, by relating finite trees with lists. Now taking 
the pointwise composite Ro S, we have a lax logical relation from M to P. 

5 Conclusions and Further Work 

We have defined lax logical relations for data refinement in call-by- value langu- 
ages represented by the computational Ag-calculus. Binary lax logical relations 
compose, and have a basic lemma, thus satisfying two key criteria for data refi- 
nement. 

The Ac-calculus has a narrow range of type and term constructors. But the 
techniques herein apply in the considerably greater generality of call-by- value 
calculi with models in S'etJ-categories with algebraic structure [19]. So we 
could include an account of finite coproducts for instance. 

We have also not addressed representation independence, the topic of [10], 
but the techniques of [10], based on the sketches in [12], extend to the setting 
of this paper. So we plan to make that extension. We hope for a converse to the 
leading result therein too. 

Finally, for logical relations for the A-calculus, if one asserts that the functor 
(ho, hi) be a fibration, then the logical structure is given by the internal language 
of the category theoretic structure [3]. It is not clear how to extend our analysis 
to such a result, but the concept of fibration may be the key construct. We may 
need to restrict attention to each fibre being a poset. 
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Abstract. Term rewriting is an important computational model with 
applications in algebra, software engineering, declarative programming, 
and theorem proving. In term rewriting, computation is achieved by di- 
rected equations and pattern matching. In this tutorial we give an intro- 
duction to term rewriting. 

The tutorial is organized as follows. After presenting several motivating 
examples, we explain the basic concepts and results in term rewriting: 
abstract rewriting, equational reasoning, termination techniques, conflu- 
ence criteria, completion, strategies, and modularity. The tutorial con- 
cludes with a selection of more specialized topics as well as more recent 
developments in term rewriting: narrowing, advanced termination tech- 
niques (dependency pairs), conditional rewriting, rewriting modulo, tree 
automata techniques, and higher-order rewriting. 
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Abstract. Interactive theorem provers are tools that assist humans in 
constructing formal proofs. They have been the subject of over two deca- 
des of research, and are now capable of tackling problems of real practical 
interest in software and hardware verihcation. Some of the most effective 
of these tools are based on expressive type theories. This tutorial is about 
interactive theorem proving based on type theory, with a slant toward 
type theories, such as Nuprl and TVS, where expressive power has been 
pushed at the expense of traditional properties such as decidability of 
typechecking. The tutorial will cover type theoretic foundations, prac- 
tical issues in the design of type theories for verihcation, and techniques 
for automating reasoning in the context of interactive systems. We will 
also cover some of the recent work on cooperation between interactive 
provers and with automatic verihcation tools such as model checkers. 
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